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Afaatracl 

Iiiliiitioiiistic  logic  has  bccoiiK.'  ubiquitous  In  rontputcr  scicnccJ  An  Intpoitani  queirtioa  b 
liuw  to  toncii  intultionistic  logic  to  roinputcr  science  and  matlji'ntatics  students.  Wr 
niK'iuplcd  ULlJOSiit  such  an  exjxwUlop  in  Nerode  jl989j  using  kripke  inodeb  wbkh  atltbw  iw 
to  reprcscnt^staiea  of  knowIcdgcrSboui  ntachines.  Inrpsosdnl  nrtlfts-nrean  IntcBdtKtui'iiv 
without  proofs,  to  the  semantics  of  recursive  realizability  and  tlie  Curry-lltmaid 
Isomorpiilsm.  Tills  is  the  suiijecl  Uciiind  tcnn.extraction  functional  computer  languages 
siicli  as  MI,  or  NuPRL  ‘  ) 


il.  /Orientation.  Logical  deduction  and  computation. 

>‘2.  ^  Intuitionisticjatutal-doductiotUN  Ivxcrcises  ami  otlier  necessary  Information 
5:i.  ^  ileylin^s  semantiinj .  Intuitumuitlc  proofs  reflecl  constructions  and  lienee 

alcojjthms., _ v 

/  Klocnc's  rcalixability  for  IIA.  Programs  from  intuitionistic  arithmetic  prwjiLs. 
/  Untyped  application.  Curry’s  untyped  combinalors. 

Untyped  Ar^culus.  Cluirch's  uniy|)od  A-terms  and  rctiuction. 

*  Set  theory  and  applicatiotti  Tlie  replacement  sclioma. 
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Sirpplq  typ^^i  A-fAlculiLs.^AjTQ\v  and  product  lypt's,  rctiutiion, 

Curry-Howard  Isomorphisrn,)  Simple  typed  A-calcuIus  ami  tlie  logic  of  and! 
^.--HTnpTtrs*T*^Propo5ttions-a5  iy|x?s'\  "deriuctions  as  terms’*. 

.  C  Typed  combi natonrj  The  way  to  Cartesian  closed  categories. 

.  ^Second  order  propositional  calailu^.\”lmplies",  "and",  "«ltxhH'ilons".. 

.  *-l*olyriiOlTllilb  lambda  talcuhstr-Unwersal  lyjies  for  reusable  cwle. 

Curry-Iloward  isomorphism.  S^ml  orrler  propositional  logic  ami  tlu'  potyMiocphiv 
A-calculus.  \ 

Intuitionistic  ZornKtlo-h'racnkcl  Set  Theory  (17.F).  Const rurllve  set  thwry, 
lligiter  order  and  imprcdicativo  proofs.  Hecursive  realizability  and  the  extraction  oF 
programs  from  IZF  proofs. 

itasumo  of  extractions  of  programs  fron^  proofs.  Brief  history. 


§1.  Orientation,  lien*  is  a  paradigm. 


Deductions  are  computations, 
-  Computations  are  rieducilons. 


We  do  not  Intend  lids  In  a  narrow  sense.  Here  are  somt>  generic  t«atu|des, 

a)  A  first  example  of  "deduction  as  computation"  Is  backward  chaining.  .An 
algorithm  for  searching  for  a  deiliictlon  of  A  from  n|,  may*  ,HlaH  with  a  tWsiiwI 
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conclusion  A,  and  then  apply  all  rules  of  deduction  in  reverse  systematically  at 
intermediate  stages  to  see  how  each  statement  could  arise  as  an  intermediate  conclusion 
from  intermediate  premises.  The  algorithm  then  terminates  when  A  has  been  traced  back 
through  various  stages  to  the  assumptions  and  does  not  terminate  if  it  never 

succeeds  in  constructing  a  deduction  of  A  from  Bj,  Look  at  any  treatment  of  logic 

resolution  theorem  provers  (Robinson  [1965]),  or  an  ideal  PROLOG  interpreter  or  compiler 
(Lloyd  [1989]). 

b)  A  second  example  of  "deduction  as  computation"  is  forward  chaining.  An 
algorithm  for  searching  for  a  deduction  of  A  from  Bj,  ...,  B^^  may  start  with  B^,  ...,  B^^ 

as  data,  applying  all  rules  of  deduction  systematically  at  intermediate  stages  to 
intermediate  premises  to  obtain  intermediate  conclusions.  The  program  then  terminates 
when  A  is  obtained  as  a  conclusion,  and  therefore  when  a  deduction  of  A  from 
Bp  ...,  Bj^  has  been  obtained  An  idealization  of  the  classificatory  expert  system  language 

OPS5  is  an  example  (Brownston  et  al.  [1985]). 

In  both  of  these  examples  fa  and  fb  all  the  deduction  rules  correspond  to  internal 
commands  of  the  appropriate  computer  language,  which  may  be  sequential  or  parallel. 

What  is  implemented  in  a  compiler  or  interpreter  is  a  systematic  search  procedure  for  such 
a  deduction,  a  proof  procedure  which  is  complete  in  the  sense  of  a  completeness  theorem  for 
the  underlying  logic.  (We  ignore  the  short-cuts  taken  by  language  writers  to  get  efficiency 
by  violating  correctness  and  completeness.) 

c)  A  third  example  of  "deduction  as  computation"  is  the  implementation  of 
intuitionistic  deduction.  Intuitionistic  deduction  is  the  form  of  deduction  in  systems  based 
on  Heyting's  work  of  the  1930's,  which  restricts  the  use  of  logical  deduction  rules  to  those 
used  in  the  constructive  reasoning  of  L.  E.  J.  Brouwer,  the  distinguished  Dutch 
mathematician  who  originated  Intuitionism  after  the  turn  of  the  century.  One  can  searcli 
for  a  deduction  as  above.  But  often,  unlike  the  cases  above,  the  emphasis  is  not  on 
searching  for  a  deduction,  but  rather  on  converting  a  given  intuitionistic  deduction  which 
proves  the  existence  of  an  object,  into  an  algorithm  for  computing  that  object. 

Intuitionistic  deductions  are  constructive.  One  can  write  a  program  which,  applied  to  any 
input  which  is  a  constructive  prof»f  that  an  object  exists,  terminates  with  an  output  which 
is  a  program  for  computing  that  object.  This  is  called 


"extracting  programs  from  (constructive)  proofs". 


Conceptually  this  idea  of  extraction  goes  back  to  Heyting  [1934]  and  Kleene  [1945].  When 
applied  to  a  constructive  proof  that  a  definition  defines  a  function  F  on  some  data  types 
(the  function  is  an  object,  in  the  terminology  above),  this  extraction  program  produces  a 
program  for  computing  the  function  F.  This  is  the  basis  for  many  recent  high  level 
functional  programming  languages.  These  include  AUTOMATH  (DeRruijn  [1973, 1980]), 
NuPRL  (Constable  [1986],  Martin— Lof  [1984,  1987])),  ML  and  other  polymorphic 
languages  (Reynolds  [1974],  Girard  [1972, 1986])  such  as  the  theory  of  "Constructions"  of 
Huet  and  Coquand  [1985].  Extending  this  relation  between  intuitionistic  deduction  and 
computation  to  wider  domains  of  computer  science  problems  is  an  important  area  of 
current  research.  One  of  the  main  reasons  for  studying  intuitionistic  systems  in  computer 
science  is  that  among  its  likely  future  achievements  is  the  production  of  guaranteed  correct 
programming  languages. 


d)  Here  is  an  example  of  "computation  as  deduction".  Think  of  a  computation  as 
proceeding  in  stages,  and  as  having  a  unique  state  at  each  stage  and  a  unique  input  history . 

Allow  parallelism  and  non-determinism.  Each  successive  state  is  one  of  the  possible 
successors  of  the  previous  state  of  the  processor  and  input  history.  The  possible  finite 
sequences  of  states  compatible  with  machine  operation  rules  are  the  possible  finite 
execution  sequences.  A  sequential  machine  is  one  with  only  one  execution  sequence.  A 
crude  translation  from  execution  sequences  to  deductions  is  this.  Given  the  input  history 
H  and  the  current  state  S  and  one  possible  successor  state  S'  (there  may  be  many), 
associate  one  rule  of  inference  Ipj  g  5'  with  H,  S  as  premises,  and  S'  as  conclusion. 

Finite  deductions  from  an  initial  state  and  history  represent  execution  sequences.  We  are 
deducing  possible  execution  sequences.  This  is  an  operational  point  of  view,  and  uses  i 

states.  There  are  many  other  points  of  view  on  computation,  and  each  admits  a  ^ 


corresponding  deduction  system  so  far  as  we  can  see.  From  another  point  of  view,  each 
execution  sequence  is  a  model  of  a  theory,  rather  than  a  deduction  in  the  theory. 


d 

□ 


e)  Every  system  in  which  program  correctness  (i.e.,  that  programs  meet  their 
program  specification)  can  be  proved  can  be  construed  as  a  logical  system,  for  in  what  else 
can  one  prove  anything?  There  is  an  enormous  quantity  of  ongoing  work  conierning 
sequential  programs  on  program  specification,  program  development,  and  program 
correctness.  When  substantial  code  is  involved,  carrying  out  these  tasks  for  sequential 
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programs  is  itself  an  art  of  cooperation  of  many  hands,  fraught  with  difficulties  in 
maintaining  accuracy  and  efficiency,  and  generally  not  carried  out  in  a  formal  way  in 
practice.  Making  as  much  of  the  process  as  routine  as  possible,  and  then  automating  these 
routine  parts  by  programs  themselves  is  commercially  desirable  and  theoretically  very 
interesting.  It  is  not  at  all  clear  a  priori  what  methodologies  can  be  developed,  but 
intellectual  tools  are  slowly  emerging,  many  from  mathematical  logic.  Increasingly  these 
tools  come  from,  or  are  simply  related  to,  themes  of  intuitionistic  logic  rather  than  themes 
of  classical  logic.  This  is  because  intuitionistic  systems  permit  extraction  of  programs  from 
deductions.  Computer  aided  extraction  of  programs  from  program  specifications  is  an 
ultimate  aim.  The  validation  of  the  computer  aided  extraction  would  then  automatically 
show  the  correctness  of  all  programs  extracted. 

f)  Here  is  another  role  of  the  theory  of  deductions,  traditionally  called  proof  theory. 
Proof  theory  deals  with  proof-simplification,  originally  intended  for  applications  to 
consistency  proofs.  Proof-theoretic  analyses  often  yield  algorithms  for  converting 
deductions  into  deductions  of  a  very  restricted  form.  To  search  for  a  deduction  then 
becomes  a  search  for  one  of  a  restricted  form.  This  often  forms  the  basis  for  new  forward 
or  backward  chaining  search-for— a-deduction  compilers  and  interpreters.  Such  a  new 
interpreter  or  cornpiler  may  run  more  efficiently  than  those  based  on  older  procedures  since 
what  has  to  be  searched  for  comes  out  of  a  smaller  class.  The  evolution  of  backward 
chaining  resolution  theorem  proving  bears  this  out,  starting  with  simple  resolution  on 
ground  terms,  proceeding  to  unification,  and  then  going  on  to  SLD  resolution,  etc. 
(Robinson  [1965]).  The  same  holds  of  algorithmic  improvements  in  the  deduction  systems 
for  forward  chaining  systems.  As  for  the  intuitionistic  deduction  systems  mentioned  above, 
they  depend  exactly  on  the  proof-simplification  procedures  of  proof  theory.  In  fact,  they 
compute  by  simplifying  deductions,  and  terminate  when  the  simplification  is  complete 
(they  terminate  in  a  normal  term  or  deduction,  see  below). 

Corresponding  work  for  extraction  of  code  for  distributed  and  concurrent  programs  from 
proofs  is  in  its  infancy.  We  do  not  know  enough  about  how  to  proceed  from  program 
specification  to  code  dividing  up  execution  among  many  processors  in  such  a  way  as  to 
avoid  sequential  bottlenecks,  if  this  is  indeed  possible  at  all. 

In  trying  to  understand  any  new  quantitative  subject  matter,  any  kind  of  rigorous 
reasoning  is,  of  course,  allowed.  The  coarsest  reasoning  is  classical  reasoning  in  which 
proofs  of  the  existence  of  objects  may  even  be  obtained  by  supposing  the  object  does  not 


exist  and  then  getting  a  contradiction.  A  typical  example  of  such  a  situation  in  computer 
science  is  giving  a  non-constructive  proof  that  in  a  computing  environment  with  several 
computing  agents  which  compete  for  use  of  a  resource  (such  as  disk  access),  the  program 
governing  use  of  the  resource  has  the  property  that  for  each  agent  there  exists  a  time  at 
which  that  agent  will  be  given  access  (but  we  may  not  know  how  much  delay  each 
computing  agent  will  encounter  in  waiting  for  access  to  the  resource). 

But  usually  only  "constructive"  reasoning  is  likely  to  be  of  practical  use.  One  actually  ha-s 
to  get  one's  hands  on  algorithms  for  computing  things  asserted  to  exist  and  bounds  on  their 
running  time  to  make  any  use  of  them.  In  the  above  instance,  knowing  that  disk  access 
will  eventually  take  place  is  of  little  use  without  a  bound  on  how  long  that  may  take,  and 
this  time  better  be  reasonable,  or  the  program  will  not  be  used. 

Can  a  given  instance  of  non-constructive  reasoning  be  replaced  by  constructive  reasoning? 
This  is  often  a  highly  non-trivial  mathematical  question,  only  answerable  by  hard 
mathematical  work.  See  e.g,  Friedman  (1978).  Often  a  non-constructive  existence  proof  is 
"cheap"  in  terms  of  the  time  necessary  to  establish  it,  and  is  also  quite  general  and 
aesthetically  pleasing.  Finding  a  constructive  version  of  that  proof  requires  looking  at 
exactly  how  existence  was  obtained,  and  filling  in  whatever  additional  information  and 
algorithms  are  needed  in  order  to  compute  the  thing  asserted  to  exist. 

First,  we  give  a  standard  formalization  of  intuitionistic  predicate  logic  by  natural 
deduction  in  the  form  due  to  Prawitz. 

§2.  Intuitionistic  natural  deduction.  In  the  early  1930's  Heyting  developed  formal 
intuitionistic  predicate  logic  to  describe  Brouwer's  mode  of  constructive  reasoning.  We  use 
the  Prawitz  [1965]  formulation  of  intuitionistic  deductions  as  trees  formed  using  Gentzen's 
introduction  and  elimination  rules.  We  take  for  granted  the  usual  inductive  definition  of 
predicate  logic  formulas  based  on  "A"  (and),  "V"  (or),  "-'"(not),  "3"  (there  exists),  "V" 
(for  all),  "F"  (falsehood),  together  with  relation  symbols  and  variables.  We  do  not 
introduce  a  "T".  In  formulas  we  omit  as  many  brackets  as  possible,  and  sometimes  use 
both  round  and  square  brackets  in  the  same  formula  for  legibility. 

Here  is  an  example  of  an  ordinary  mathematical  proof  and  its  natural  deduction 
equivalent.  This  will  help  in  puzzling  out  the  formal  definition  below. 


Example.  Consider  how  one  ordinarily  proves  A  A  B  -•  B  A  A.  Explanation  of  the  rules 
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used  is  on  the  next  page. 


ORDINARY  PROOF 
Suppose  A  A  B. 

Then  A  A  B  yields  A. 
Also  A  A  B  yields  B. 
Then  B,  A  yield  BAA. 
Conclude  A  A  B  -•  B  A  A. 


REASON 
assumption 
A  -elimination 
A  -elimination 
A  —introduction 
-t  —introduction 
cancellation  of  assumption 
This  yields  the  natural  deduction  proof 


A— A  B- 


A  A  B 


B  A  A 


A  A  B 


BAA 


Cancellation  takes  place  when  we  legally  drop  an  hypothesis  as  the  conclusion  is  reached. 
For  example,  if  A  is  an  hypothesis  and  B  is  the  conclusion,  and  we  want  to  conclude 
A  -•  B  ,  then  we  can  cancel  A  since  it  is  not  needed  to  justify  the  implication.  All 
deductions  will  be  finite  labelled  trees,  with  the  root  at  the  bottom  and  the  leaves  (upper 
most  nodes  farthest  from  the  root)  at  the  top.  The  labels  are  on  the  nodes.  The  label  on 
the  root  node  is  the  conclusion.  In  the  case  of  a  non-leaf  node,  the  label  on  the  node  is  a 
formula.  In  the  case  of  leaf  nodes,  every  label  is  a  formula  or  a  canceled  formula  (a  formula 
with  a  horizontal  line  through  the  middle).  The  uncanceled  formulas  on  the  leaves  are 
called  the  assumptions  of  the  deduction,  the  canceled  formulas  on  the  leaf  nodes  are  called 
the  canceled  assumptions.  Individual  occurrences  of  assumptions  will  be  distinguished  at 
all  times.  In  particular,  there  will  be  a  process  of  "canceling"  assumptions  (putting  a 
horizontal  bar  through  the  assumption),  and  we  are  allowed  to  cancel  none,  some,  or  all 
occurrences  of  a  given  assumption. 

All  natural  deduction  rules  are  to  be  regarded  as  constructing  new  finite  labelled  trees  from 
old  finite  labelled  trees,  possibly  canceling  some  assumptions  in  the  process,  and  always 
preserving  previous  cancellations.  Among  the  operations  listed  below,  "implication 
introduction",  "or  elimination",  and  "existential  quantifier  elimination"  are  the  only  ones 
which  newly  cancel  assumptions,  the  rest  do  not  alter  the  canceled  or  uncanceled  character 
of  the  assumptions.  When  we  have  no  need  to  refer  to  assumptions  we  write  the  tree  as 


B 

If  we  need  to  refer  to  a  formula  A  as  an  assumption  (which  may  occur  vacuously  on  the 
tree),  we  write 

A 

B 

We  need  to  start  with  atomic  deductions.  These  are  of  the  form 
A 

where  the  assumption  and  the  conclusion  are  exactly  the  same. 

In  the  deduction  rules  we  separate  the  conclusion  from  the  premises  by  a  horizontal  bar. 
This  is  not  present  in  the  forma!  definition  of  a  deduction  as  a  labelled  tree,  but  is  the 
standard  way  of  writing  natural  deductions  with  paper  and  pencil. 

A  -  elimination. 

From  a  deduction  of  A  A  B 

A  A  B 

form  a  deduction  of  A, 


A  A  B 

S 

and  similarly  with  B  a  A  in  place  of  A  A  B. 

A -elimination. 

From  a  deduction  of  A  A  B 
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aab 

form  a  deduction  of  B, 


AAB 

B 

and  similarly  with  B  A  A  in  place  of  A  A  B. 

-<  -  introduction. 

From  a  deduction  of  B  with  assumption  A 
A 

B 

form  a  deduction  of  A  -*  B, 

-A- 

B 

A  -  B 

where  none  or  some  or  all  occurences  of  assumption  A  may  be  canceled. 

-» -  elimination. 

From  a  deduction  of  A 


A 

and  a  deduction  of  A  -<  B 

A 


form  a  deduction  of  B 


A  A  -  B 
B 

Exercises.  Give  natural  deduction  proofs.  (Here  « 
(VH7)  A  (7-.  ifi).) 

1.  (ifi  ^  ifi)  ifi 

2.  (v?  A  M  (0  A 

3.  (((fi  A  0)  A  <7)  «  (v?  A(^  A  <7)) 

4.  ^  ^ 

5.  (tp->  ifi) 

6.  ((P-  Ip)  -  {{lp-<  (7)  -((^-  (7)) 

7.  ((so  -  (V-  <r))-  ((0  A  t(i)  cr) 

8. ((0At(’)-<7)-((l^-(^-(7)) 

V  —  introduction. 

From  a  deduction  of  A 


A 

form  a  deduction  of  (Vx)A 


A 

(  Vx  )A 

provided  x  is  not  free  in  any  uncanceled  assumption. 

V  -  elimination. 

From  a  deduction  of  (Vx)A 


is  an  abbreviation  for 
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(Vx)A 

form  a  deduction  of  Aft) 

(  V  X  ;  A 
A[ t/x] 

provided  t  is  a  term  free  for  x  in  A.  (t  is  called  free  for  x  in  A  if  the  result  A[l/xj 
the  simultaneous  substitution  of  t  for  all  free  occurrences  of  x  throughout  A  does  not 
render  any  occurrence  of  any  variable  bound  that  was  not.  bound  before  the  substitution). 

Example.  We  take  an  ordinary  mathematic'J  proof  of  (Vx)(Vy)A(x,y)  -  (Vy)(Vx)A(x.y) 
and  convert  it  to  a  natural  deduction  proof. 


ORDINARY  PROOF 
Suppose  (Vx)(Vy)A(x,  y). 
Then  (Vy)A(x,y). 

So  A(x,  y). 

So  (VxlAfx,  y) 

So  (Vy)(Vx)A{x,  y). 


TRANSLATION 
premise 
V-eliminalion 
V-elimination 
V-introduction 
V— introduction 


Therefore  (Vx)(Vy)A(x,  y)  -  (Vy)(Vx)A(x.  y).  -  -introdtiction  and 

assumption  cancellation 


This  gives  the  following  natural  deduction  proof. 

(Vy )A( X  ,y  ) 

A( X  ,  y  ) 

( Vx ) A( X , y ) 

( Vy ) ( Vx ) A( X  ,  y  ) 


(  Vx )  ( Vy ) A( X , y )  -  ( Vy ) { Vx ) A( X , y) 


Exercise.  Prove  by  natura'  deduction. 


[(Vx)(¥<x)  A  V<x))]  «  [(Vx)vJ(x)  A  (Vx)tfix)] 


V  —  introduction,  (left) 
From  a  deduction  of  A 


form  a  deduction  of  A  V  B 


A 

A  V  B 

V  -  introduction,  (right) 
From  a  deduction  of  B 


B 

form  a  deduction  of  A  V  B 


B 

A  V  B 

V  -  elimination,  (right) 

From  a  deduction  of  C  from  A 

A 


C 


and  a  deduction  of  C  from  B 
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B 

C 

form  a  deduction  of  C 


A  V  B  C  C 
C 

where  none,  some,  or  all  occurrences  of  A,  B  as  assumptions  may  be  canceled,  and  A  V  B 
is  made  an  assumption. 

The  format  of  this  rule  is  the  hardest  to  get  used  to.  But  it  is  merely  a  notation  for  proof 
by  exhaustion  of  cases.  Read  it  as  follows. 

Case  1.  Deduce  C  from  assumption  A. 

Case  2.  Deduce  C  from  assumption  B. 

Therefore  we  may  deduce  C  from  assumption  A  V  B,  canceling  premises  A,  B  if  we  like. 

Example.  We  give  an  example  of  translating  ordinary  proofs.  Deduce  conclusion 
(A  V  B)  A  (A  V  C)  from  premise  A  V  (B  A  C). 

ORDINARY  MATHEMATICAL  PROOF.  Start  from  the  conclusion  and  work  back 
toward  the  premise. 

Part  1.  Suppose  we  know  the  conclusion  (A  V  B)  A  (A  V  C).  Then  we  must  have  had 
(A  V  B)  and  (A  V  C)  as  intermediate  premises.  This  gives  us  two  intermediate 
conclusions  to  work  toward,  A  v  B  and  A  V  C. 

Now  start  with  the  premise  and  work  forward  toward  the  conclusion. 

Part  2.  Suppose  the  premise  A  V  (B  A  C)  holds. 

Case  1.  Assume  A.  Then  A  V  B. 

Case  2.  Assume  B  A  C.  Then  B,  and  therefore  A  V  B. 

Therefore  from  the  premise  A  V  (B  A  C)  alone,  we  conclude  A  V  B. 
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Paxt  3.  Suppose  the  premise  A  V  (B  A  T) 

Case  1.  Assume  A.  Then  A  V  C. 

Case  2.  Assume  B  A  C.  Then  C,  and  therefore  A  V  C. 

So  we  get  A  V  C,  based  only  on  the  premise  A  V  (B  A  C).  Therefore  from  the  premise 
A  V  (B  A  C)  alone  we  conclude  A  V  C. 

This  completes  the  proof. 

Part  1  is  reflected  by  the  A— introduction. 


A  V  B  A  V  C 

(A  V  B)  A  V 

Part  2  is  reflected  by 

-BAG 
A  B 

AV  (BAG)  AVB 

A  V”B 

Part  3  is  reflected  by 

BAG 
A  C 

AV  {  BAG  )  XvTJ  X7C 
A  V  C 

Combining, 


-Bag  Bag 

A  B  A  C 

Av(BaC)  XvB  XvB  av(BaG)  XTC  Xv^ 
A  V  B  a  V  G 

{ A  V  B )  A  ( A  V  G ) 


First  we  decode  the  conclusion  by  introduction  rules  from  intermediate  premises  to  see 
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what  we  have  to  work  forward  to.  Then  we  decode  the  original  premises  by  elimination 
rules  get  the  intermediate  premises.  Then  the  natural  deduction  proof  consists  of  joining 
these  pieces,  one  for  the  conclusion,  one  for  every  intermediate  premise  uncovered.  This  is 
the  best  method  for  finding  natural  deductions. 

Example.  Check  yourself  that  the  following  is  a  derivation  of(AAB)V(AAC)  from 
AA(BvC). 

Aa(BvC)  Aa(BvC) 

J.  -B-  "T  -G— 

Jab  aTC 

BvC  (AaB)v(AaC)  ~[XrBjVTK7jC) 

(aab)v{AaC) 

Example.  We  translate  an  ordinary  proof  into  natural  deduction.  We  deduce 
(Vx)(((^x)  V  tl<x))  from  (Vx)v5(x)  V  (Vx)Vi(x). 

ORDINARY  PROOF. 

There  are  two  cases. 

Case  1.  (Vxjv’Cx).  In  this  case  ^Kx)  for  any  x,  so  ^x)  V  ip(x). 

Case  2.(Vx)V<x).  In  this  case  tp{x)  for  any  x,  so  vKx)  V  ^x). 

But  we  have  assumption  (Vxj^x)  V  (Vx)^x),  so  one  of  the  cases  holds.  We  can  cancel  the 
assumptions  (Vx)vKx),  (Vx)V<x)  and  conclude  vj(x)  V  ^x),  and  therefore 
(Vx)(^l)(x)  V  0(x)).  The  corresponding  natural  deduction  is 

(  Vx  )  ) - (  Vx  (  x-3-  ■ 

if!  X  )  X  ) 

(  Vx  )  ¥»(  X  )  V  (  Vx  )  Vi(  X  )  tp(x)yil>{x)  ip(x)  ^  il)(  x) 

¥>(  X  )  V  V(  X  ) 

(Vx)  (ip{x)Wii{x)  ) 

Exercises.  Give  natural  deduction  proofs.  Treat  "if  and  only  if,  that  is  as  defined  by 
two  implications. 

1  ((^vv<) « (i&v  vj) 

2.  ((^  V  V)  V  (t)  «  (¥»V  (ViV  ff)) 

3.  V  ( Vi  A  ff))  »  ((^  V  Vi)  A  V  (t)) 

4.  (v>  A  ( V  V  (t))  «  ((^  A  V)  V  (v?  A  <t)) 
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3  -  introduction. 

From  a  deduction  of  A(t), 


A(t) 

form  a  deduction  of  (3x)A(x), 


A(t) 

(TK)Xrx)- 

provided  t  is  free  for  x  in  A(x) 

3  -  elimination. 

From  a  deduction  of  B  from  A(x) 

A(x) 

B 

and  provided  x  is  not  free  in  B  or  any  assumption, 

form  a  deduction  of  B  with  (3x)A(x)  as  an  assumption,  and  in  which  none  or  some  or  all 
occurrences  of  A(x)  as  assumptions  may  be  canceled 

-  Mxh- 

(  3  x  )  A  (  X  )  B 

B 

Exercises.  Give  natural  deduction  proofs.  Treat  "if  and  only  if"  as  defined  by  two 
implications. 

1.  (3x)(i()(x)  V  tKx))  «  (3x)<^x)  V  (3x)^x) 

2.  (<p  V  (Vx)V<x))  -•  (Vx)(¥i  V  iix)),  X  not  free  in 

3.  {ifi  ^  (3x)V<x))  -*  (3x)(vi  A  ^x)),  X  not  free  in  ip 

4.  (3x)(^-i  ^x))  {3x)i^x)),  X  not  free  in  ip 
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5.  (3x)(i^  A  V^x))  A  (3x)^x)),  X  not  free  in  tp 

6.  (3x)(v!(x)  -<  rj))  **  ({'ix)(p(x)  -<  ^),  x  not  free  in  i> 

7.  ((3x)v!(x)  -•  V)  “*  (V3t)(vj(x)  V*),  X  not  free  in  ^ 

Now  assume  that  F  (falsehood)  is  an  additional  logical  constant. 

-I  -  introduction  (The  absurdity  rule) 

From  a  deduction  of  F  from  A 

A 

F 

construct  the  deduction  of  B 
A 

F 

B 

Remark.  A  particular  case  of  this  rule  when  -'A  is  substituted  for  B  is  that  if  A  leads  to 
an  absurdity  (that  is,  F),  then  -'A  can  be  deduced.  Think  of  lA  as  meaning  that  the 
assumption  A  leads  to  a  contradiction.  In  fact  we  can  replace  -lA  by  A  ->  F,  and 
dispense  with  -i  as  a  primitive  entirely.  This  completes  a  system  for  intuitionistic 
propositional  and  predicate  logic. 

Exercise.  Give  intuitionistic  natural  deduction  proofs.  Treat  if  and  only  if  as  two 
implications. 

1. 

2.  {^p^  -*  V') 

3.  (<P“*  "* 

4.  V^)  **  “* 

5.  A  H  (-'-'9  A 

6.  -|•1(Vx)v)(x)  -t  (Vx)-'-iip(x) 

7.  -<(ip  y  ij))  n  (-1^  A  -10) 

8.  (~'ip  A  10)  -t  1(0  V  0) 


9.  {-up  V  ■'V')  -•  -'{<p  A  iji) 

10.  tp  -• 

11.  F  «  (v?  A  ->ip) 

12  -^(3x)v)(x)  -  (Vx)-.v3(x) 

13.  (Vx)--¥;(x)  -i(3x)(^x) 

14.  (3x)-.vj(x)  -i(Vx)¥)(x) 

ClAiwifAl  nitt.iiral  dfidiif.tion.  To  get  a  system  for  classical  propositional  or  predicate  logic, 
add  the  law  of  the  excluded  middle. 

-I  —  elimination.  (Reductio  Ad  Absurdum,  or  RAA) 

From  a  deduction  of  falsity  from  --A 

-A 

F 

form  a  deduction  of  A 

-A 

F 

S 

and  none  or  some  or  all  assumptions  can  be  canceled. 

Remark.  The  absurdity  rule  would  deduce  from 

■’A 

F 

only  -'-'A.  RAA  deduces  A. 

Exercise.  Show  that  every  instance  of  the  excluded  middle  A  V  -lA  can  be  deduced  using 
RAA. 
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Exercises.  Below  is  a  list  of  classically  valid  formulas  which  are  not  intuitionistically  valid. 
For  each  give  a  natural  deduction  proof  using  the  law  of  the  excluded  middle. 

1.  (l/5  V  -1^) 

2. 

3..  -i(^  A^)  -*  {->1^  V  -lip). 

4.  -i(p  V  “1-1^ 

5.  {tp->il>]V 

6.  ->ip)  {<pV  -xfi) 

7.  ->  (if) ifi) 

8.  {ip Ip)  ->  V  Ip) 

9.  (-!(/)  V  tp)^  (ip^  tp) 

10.  -(Vx)v!(x)  (3x)-^v3(x) 

11.  (Vx)-.-'¥>(x)  -t  -i-.(Vx)i^x) 

12.  (Vx)(¥>  V  ip(x))  (i^  V  (ix)ip{x)),  X  not  free  in  p. 

13.  ((<^  -t  (3x)^x))  (3x)(v5  ^x)),  X  not  free  in  p. 

14.  ((Vx)¥’(x)  ->  ip)-^  (3x)(p(x)  ->  tp),  X  not  free  in  t. 

15.  ii^x){pix)  V  --  pix))  A  -'-.(3x)v)(x))-  (3x)v5(x) 

§3.  Heyting's  semantics.  In  1936  Heyting  gave  a  sketch  of  an  informal  semantics  for  the 
logical  connectives  "3",  "F"  based  on  the  notion  of  a  construction. 

His  thought  was  that  if  one  starts  out  with  constructions  of  objects  asserted  to  exist  in  the 
premises  of  an  intuitionistic  deduction,  and  an  object  is  asserted  to  exist  in  the  conclusion 
of  the  deduction,  there  should  be  a  means  of  converting  the  deduction  into  a  construction 
of  the  latter  object.  Heyting  was  not  thinking  in  terms  of  an  implementation  of 
constructions  as  programs  to  be  run  on  resd  hardware,  none  existed  at  that  time.  This  was 
a  conceptual  exercise  in  construction,  perhaps  thought  of  in  terms  of  pencil  and  paper. 

Here  are  some  of  the  issues.  In  classical  mathematics,  when  a  proposition  is  proven,  it  can 
be  used  as  a  lemma  for  all  subsequent  propositions  without  referring  to  the  specific  way  the 
proposition  has  been  proved.  The  proposition’s  past  history,  so  to  speak,  plays  no  role  in 
subsequent  deductions  based  on  the  proposition.  One  proof  of  the  proposition  is  as  good  as 
another,  and  need  not  be  used  later  when  using  the  proposition.  In  classical  propositional 
logic  this  is  reflected  by  the  truth  functionality  (with  T,  F  as  the  only  truth  values)  of 
the  logical  connectives,  that  is  the  truth  or  falsity  of  the  compound  proposition  is 
determined  by  truth  or  falsity  of  the  parts  and  without  reference  to  any  further  features  of 
the  parts.  In  Heyting's  view  the  situation  is  different  for  intuitionistic  logic.  The  intent  is 
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to  combine  constructions  establishing  the  parts  of  a  compound  proposition  to  get  a 
construction  establishing  the  compound  proposition  itself.  This  entails  constructions  which 
yield  new  constructions  from  old.  This  is  like  a  construction  for  composition  of  functions 
which,  applied  to  a  construction  for  f(x)=xx  and  a  construction  for  the  function 
g(x)=x+2  yields  a  construction  for  g(f(x))=xx+2.  Further,  different  constructions 
associated  with  parts  of  a  compound  statement  can  be  combined  in  different  ways  to  give 
different  constructions  for  the  compound  statement.  We  assume  as  did  Heyting  an 
informal  notion  of  a  construction  as  a  rule  which  applies  to  constructions  to  yield 
constructions. 

Here  are  some  requirements  that  Heyting  imposed  on  the  notion  of  construction  for 
interpreting  intuitionistic  logic. 

1)  A  definition  for  atomic  statements  P  =  R(Cj, ...,  Cj^)  of  the  phrase  "construction  c 
proves  P." 

This  c  should  be  a  construction  showing  that  R(Cj, ...,  Cj^)  is  true.  For  example,  the 

atomic  statement  P  might  say  that  with  a  given  definition  of  x,  x  >  3.  A  construction 
c  such  that  c  proves  P  should  verify  x  >  3  from  the  definition  of  x. 

2)  Construction  c  proves  (A  A  B)  if  and  only  if 

c  is  a  pair  of  constructions  (d,  e)  such  that  d  proves  A  and  e  proves  B. 

The  intent  here  is  that  we  can  recover  constructions  d,  e  from  construction  c  and 
conversely. 

3)  Construction  c  proves  (A  V  B)  if  and  only  if 

c  is  a  pair  (d,  e)  such  that  d  is  a  natural  number  and  if  d  is  0,  e  proves  A,  if  d  is 
non-zero,  e  proves  B. 

The  intent  here  is  that  we  can  recover  a  specified  one  of  d,  e  from  c  and  what  it  proves, 
and  conversely. 


4)  c  proves  (A ->  B)  if  and  only  if  whenever  d  proves  A,  then  c(d)  proves  B. 
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The  idea  here  is  that  c  is  a  construction  which,  applied  to  any  construction  d  proving 
A,  produces  a  construction  c(d)  proving  B. 

5)  Construction  c  proves  (Vx)P(x)  if  and  only  if  whenever  d  is  a  construction  proving 
that  e  is  an  element  of  the  domain  D  over  which  x  ranges,  then  c(d)  constructs  P(e). 

So  c  transforms  proofs  of  instances  of  elementhood  in  D  to  proofs  of  instances  of  the 
universal  statement.  Thus  c  contains  a  proof  of  (VxeD)P(x). 

Remark.  D  is  discrete  if 

for  all  <fi,  (Vx)(x  r  D  -•  ifi{x)  V 

In  case  D  is  discrete,  we  may  without  loss  identify  each  element  of  D  with  a  canonical 
construction  of  that  element.  Then  5)  would  require  merely  that  c  is  a  function  on  D 
mapping  members  e  of  D  to  proofs  c(e)  of  P(e).  This  simplification  is  not  satisfactory 
when,  as  in  the  case  of  the  real  numbers,  there  is  no  obvious  choice  or  even  no  possible 
canonical  choice  of  construction  for  each  element  of  D,  but  rather  many  constructions  of 
each  element  of  D.  But  even  for  the  natural  numbers,  certain  authors  (Martin-L6f, 
DeBruijn)  would  require  that  the  statement  "2*^  is  a  natural  number"  be  proved  by 
unravelling  the  definition  of  2^®.  This  is  certainly  a  concern  in  computer  science  as  well. 

6)  Construction  c  proves  (3x)P(x)  if  and  only  if 

c  is  a  pair  (d,  e)  such  that  d  is  a  construction  of  an  element  f  of  D  and  e  proves 
P(f). 

These  six  requirements  are  criteria  which  any  adequate  definition  of  construction  should 
obey.  They  do  not  resolve  the  question:  What  is  a  construction? 

—  We  did  not  specify  a  base  step  saying  what  "c  constructs  atomic  statement  S"  means. 

—  We  did  not  specify  what  is  meant  by  a  construction  for  the  elements  of  a  domain,  a 
significant  problem  for  uncountable  domains  such  as  the  real  numbers. 

—  For  construction  c  to  prove  that  d  is  an  element  of  a  domain  D  means  that  elements 
of  donnain  D  have  potential  descriptions  by  means  of  constructions  and  that  c  proves  a 
specific  candidate  description  meets  the  requirement  of  being  in  D. 
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—  A  rule  of  inference  should  reflect  a  construction  that  converts  the  constructions 
associated  with  the  premises  of  the  rule  to  a  construction  associated  with  the  conclusion  of 
the  rule. 

—  A  deduction,  leading  from  assumptions  to  a  conclusion,  possibly  through  many 
applications  of  various  rules  of  deduction,  should  reflect  a  construction  leading  from 
constructions  of  its  premises  to  constructions  of  its  conclusion. 

There  is  an  interesting  literature  on  the  theory  of  construttions  as  an  independent 
axiomatic  theory,  see  Goodman  [1970, 1973]. 

Hevting  Arithmetic  iHAl.  Intuitionistic  first  order  arithmetic  (HA)  is  obtained  by  taking 
the  predicate  logic  Peano  axioms  for  the  natural  numbers  based  on  0,  successor,  addition, 
multiplication,  and  the  usual  axioms  for  equality,  as  axioms  in  intuitionistic  predicate 
logic.  Here  addition  and  multiplication  are  assumed  to  satisfy  their  recursion  equations 
and  the  induction  axiom  is  assumed  for  all  formulas  ip.  An  integer  is  represented  as  the 
numeral  S(S(S(...0)))  in  HA.  A  (total)  function  f  on  the  integers  is  called  provably 
recursive  in  HA  if  there  is  a  formula  ¥>(x,  y)  such  that  (Vx)(3y)(i^x,  y))  is  provable  in 
HA,  and  for  ail  integers  m,  n,  if  m,  n  are  the  respective  numerals  in  HA  ,  then  f(m)  =  n 
iff  n)  is  provable  in  HA.  The  set  of  provably  recursive  functions  of  HA  contsuns  all 
functions  of  integers  that  arise  in  ordinary  mathematical  or  computational  practice. 

§4.  Kleene's  realizability  for  HA.  Kleene's  1945  notion  of  recursive  realizability  for  HA 
may  be  thought  of  as  an  interpretation  within  classical  mathematics  in  which  Heyting's 
"constructions"  are  codes  for  programs  computing  recursive  functions  on  Turing  machines. 
Kleene's  own  motivation  was  not  Heyting's  work,  but  rather  the  notion  of  "incomplete 
communication  of  information  about  a  proposition"  suggested  by  Kleene's  reading  of 
Hilbert— Bemays.  Think  of  each  construction  as  operating  on  input  data  (which  are 
themselves  descriptions  of  constructionsf  to  produce  output  data  (which  are  themselves 
descriptions  of  constructions).  If  we  identify  constructions  with  programs  for  computing 
partial  recursive  functions,  and  identify  these  programs  with  their  codes  (Gddel  numbers), 
each  construction  can  be  represented  conceptually  by  a  partial  recursive  function  p 
operating  on  codes  of  input  constructions  to  produce  codes  of  output  constructions.  In 
Kleene's  notation  for  partial  recursive  functions,  {e}y  is  the  value  (if  any)  of  the  partial 
recursive  function  defined  by  the  e-th  Turing  machine  evaluated  at  argument  y.  Kleene 
construed  {e}y  as  the  code  of  a  construction  resulting  from  applying  the  construction  with 
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code  {e}  to  the  construction  with  code  y. 

Suppose  we  identify  Heyting's  constructions  with  indices  of  partial  recursive  functions.  To 
fit  Heyting's  idea  that  from  intuitionistic  proofs,  one  should  be  able  to  extract  a 
construction  for  objects  proved  to  exist,  there  should  certainly  be  a  procedure  for 
extracting  from  an  intuitionistic  proof  of  a  statement 

{Vx)(3y)^(<x,  y) 

a  recursive  function  y(x)  such  that  (Vx)^x,  y(x)).  That  is,  there  should  be  a  procedure 
to  extract  a  program  to  compute  a  function  y(x)  from  an  intuitionistic  proof  of 
(Vx)(3y)v3(x,  y).  Kleene's  1945  realizability  does  this,  and  is  the  earliest  example  of 
extraction  of  programs  (Turing  machine  programs)  from  intuitionistic  proofs.  Below  is 
Kleene's  definition  of  "e  realizes  qf'  in  HA  for  e  an  integer  and  q>  a  statement.  Here 
"e  realizes  wffi  be  a  statement  in  HA  itself.  The  definition  is  by  induction  on  the 
length  of  statements.  Kleene  describes  e  informally  as  an  incomplete  communication  of 
information  about  q).  Constable,  the  originator  of  NuPRL,  coined  the  phrase  "e  is 
evidence  for  qf'.  In  this  spirit,  what  should  the  base  clause  for  atomic  statements  say? 
Since  these  are  ptur^numrieal  equatiwis  and  HA  proves  the  true  ones  and  refutes  the  false 
ones,  these  atonuc  statements  can  be  regarded  as  needing  no  evidence,  or  as  being  verified 
by  any  evidence.  So  we  may  start  with 

Atonuc  st.atptnmt». 

For  atomic  ^  e  realizes  q>  is  q>. 

Remarks.  For  aum^  "e  realizes  q/'  is  defined  to  be  the  statement  q  itself.  This  is  a 
so-called  "intasiui^e&Mtion"  of  realizability  by  means  of  formulas  within  HA.  The  other 
clauses  can  be  explained  by  the  same  words  as  were  used  for  Heyting's  constructions  if 
"construction"  is  replaced  by  "index  e  of  a  partial  recursive  function  {e}".  Let  p  be  a 
simple  1-1  rectirrive  pidring  function.  Here  p  assigns  a  natural  number  z  =  p(x,  y)  to 
each  pair  of  nainrai  nnnibers  x,  y.  The  components  x  and  y  will  be  denoted  by  (z)q  =  x, 

(z)i  =  y- 


Conjunction, 
e  realizes  qMl)  \a 
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[(e)Q  realizes  A  [(e)j  realizes 

Disjunction, 
e  realizes  (^V  is 

((e)g=0 ->  (e)j  realizes  v*)  A  ((e)^^  ^  0 -•  (e)j  realizes 

Imnlication. 
e  realizes  is 

(Vy)(y  realizes  ip  ->  {e}y  is  defined  and  realizes  if) 

Existential  Quantification. 
e  realizes  (3y)(«>(y)  is 

(e)j  realizes  v<(e)o) 

Remark.  This  means  unpuring  x  gives  a  zeroth  coordinate  which  is  a  witness  to  the 
existential  quantifier  and  a  first  coordinate  which  is  evidence  for  that  fact. 

Universal  Quantification, 
e  realizes  {iy)p{y)  is 

(Vy)({e}y  is  defined  and  realizes  p{y)) 

There  is  a  formula  in  HA  expressing  that  {e}y  is  defined,  nameiy  (3u)T(e,  y,  u),  where 
T  is  Kleene's  T-predicate  (Kleene  [1952]).  So  all  these  clauses  can  be  written  down  in 
HA. 

For  the  next  section,  replace  Kleene's  notation  {x}y,  universally  used  in  recursion  theory, 
by  the  notation  (xy),  a  partial  binary  operation  on  numbers.  This  notation  (xy) 
corresponds  to  that  of  Haskell  Curry's  theory  of  "applicative  structures". 

$5.  Untyped  appiication.  Shdnfinkel  (1924)  and  Curry  (1930)  independently  formalized  the 
idea  of  a  functional  rule  directly.  This  is  combinatory  logic.  Instead  of  taking  the  notion 
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of  membership  in  sets  as  fundamental  for  mathematics,  Curry  took  as  fundamental  the 
notion  of  a  functional  rule  which  may  apply  to  any  mathematical  object  as  argument  to 
give  a  mathematical  object  as  value.  The  new  wrinkle  was  that  he  took  the  proper  objects 
of  mathematics  to  be  the  functional  rules  themselves,  contrary  to  the  point  of  view  of  set 
theory  in  which  sets  are  the  proper  mathematical  objects.  But  since  a  functional  rule  is  to 
operate  on  any  mathematical  object  as  argument,  and  mathematical  objects  are  themselves 
the  functional  rules,  it  follows  that  each  functional  rule  F  can  be  applied  to  any  functional 
rule  G  as  argument,  producing  a  functional  rule  (FG)  as  value.  We  have  then  a  binary 
operation  on  rules,  the  operation  of  application. 

We  do  not  view  the  notion  of  application  as  a  foundation  for  mathematics.  Instead,  we 
give  the  classical  mathematical  definition  of  an  application  structure  within  set  theory,  just 
like  the  definition  of  any  other  contemporary  mathematical  structure.  This  is  not 
connected  with  Curry's  original  purpose,  but  is  the  way  that  many  computer  science 
applications  arise.  The  notion  of  a  function  as  a  rule  for  assigning  values  to  arguments  was 
prevalent  for  centuries  before  the  current  set-theoretic  notion  of  a  function  as 
single-valued  set  of  ordered  pairs  was  adopted  as  a  definition  by  the  mwnstream  of 
mathematics.  After  the  turn  of  the  twentieth  century  it  became  fashionable  to  define  every 
mathematical  abject  as  a  set,  so  then  the  word  "function"  was  usually  restricted  to  the 
notion  of  single  valued  set  of  ordered  pturs. 

Applicative  structures.  An  (untyped)  applicative  structure  will  be  a  non-empty  set  C 
with  a  binary  intygl  operation  ..called  application,  on  elements  F,  G  of  C.  This  is 
written  (FG)  oieigBn.  FQ.  Asopras  areb^w.  Intuitively,  each  element  of  an  applicative 
structure  C  reprawts  ajcode  for  a  "functional  rule".  Curry  invented  untyped  abstract 
application  stra^tuei  as  define^above  in  the  case  that  application  is  total.  Feferman 
extended  this  to  partial appUcatioa.  The  best  reading  of  the  partial  operation  (FG)  is  as 
follows. 

"F  is  the  code  of  a  ftinctional  rule  which,  when  applied  to  an  areiiment  which  is  a  code  G 
of  a  functional  rule,  assigns  as  value  the  code  (FG)  of  another  functional  rule". 

Example  (Kleene  Structure).  Let  C  be  the  set  of  non-negative  integers  with  the  Kleene 
operation  {x}(y),  written  as  application  (xy).  Here  there  is  no  doubt  what  is  intended  by 
saying  that  x,  y,  (xy)  represent  functional  rules.  They  are  all  code  numbers  for  Turing 
programs  for  computing  partial  recursive  functions  of  one  variable.  This  operation  (xy)  is 
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partial  since  {x}  may  not  be  defined  at  y. 

Annlicative  terms.  Let  C  be  an  applicative  structure.  The  class  of  terms  over  the 
language  of  any  C  is  defined  inductively  as  follows. 

(i)  Every  element  of  C  is  a  term  over  C,  used  as  its  own  constant  name. 

(ii)  Variables  X,  Y,  Z, ...  are  terms  over  C. 

(iii)  If  Ot,  0  are  terms  over  C,  then  (a/3)  is  a  term  over  C. 


These  are  the  natural  "polynomials"  in  applicative  structures.  When  writing  terms  and 
omitting  parentheses,  we  assume  left  association. 


Let  r(Yp  ...,  Y^^)  be  a  term  over  C  with  at  most  the  indicated  free  variables.  Then  r 
induces  a  (partial)  function  on  a  subset  of  the  n-ttiples  (c^, ...,  c^)  from  C  with  values 
in  C,  defined  by  substituting  Cj  for  Yj, c^^  for  Yj^  in  t,  and  evaluating  when 

defined.  The  left  multiplications  of  C  are  the  partial  maps  of  C  to  C  given  by  x  -*  (cx) 
for  a  c  in  C.  The  applicative  structure  C  is  called  functionally  complete  if  for  every 
term  r(x)  with  one  free  variable  x,  the  partial  function  on  C  to  C  induced  by  r  is  a 
left  multiplication  induced  by  an  element  c  of  C.  This  is  the  property  we  want  to  have  for 
applicative  structures.  It  is  guaranteed  by  putting  into  C  special  elements. 


ial  applicative  structure)  consists 
'that  C  has  distinct  elements  K  and 


Definition.  An  applicative  structure  (often  cj 
of  a  set  C  and  a  partial  operation  (xy)  on  C 
S  and  I  for  which 
0)  Ia=a 

1)  Sxy  =  (Sx)y  is  always  defined, 

2)  Kxy  =  X, 

3)  Sxyz  =  ((Sx)y)z  is  defined  iff  xz(yz)  is  defiaeC  and  then  Sxyz  =  xz(yz). 


Note  that  I  is  dispensible  in  favour  of  SKK  since  tor  all  x,  Ix  =  SKKx,  but  we  keep  I 
anyway. 

Exercise.  Interpret  I,  K,  S  in  Kleene's  applicative  structure  with  domain  the  natural 
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numbers  and  application  operation  {x}x  =  xy,  and  verify  the  axioms. 

Example.  In  the  Kleene  structure  the  partial  function  t{Cj,  ...,  c^)  is  partial  recursive 

and  an  index  for  this  partial  recursive  function  can  be  computed  from  r.  Thus  each  term 
with  one  free  variable  t(Y)  induces  a  partial  recursive  function  on  C  to  C  with  index 
X.  This  means  that  the  function  induced  on  C  is  left  multiplication  by  x. 

So  the  Kleene  structure  is  functionally  complete. 

We  want  to  think  of  elements  of  C  as  functional  programs  whose  inputs  and  outputs  are 
functional  programs.  The  following  construction  is  one  way  of  making  this  possible.  In 
any  applicative  structure  we  define  A— abstraction. 

Theorem.  For  each  term  t  over  C  built  up  from  variables  and  application  and  constants 
K,  S,  I,  there  is  a  term  over  C,  which  we  abbreviate  as  AX.t,  whose  free  variables  are 
those  of  t  leaving  out  X  such  that 

AX.t  is  always  defined,  and 

(AX.t)X  is  defined  iff  t  is  defined  and  these  values  are  equal. 

Proof.  Curry's  inductive  definition  of  A  is  as  follows. 

(AX).X  is  SKK,orl. 

(AX).t  is  Kt  if  t  is  a  constant  or  a  variable  other  than  X, 

(AX).uv  is  S((AX).u)((AX).v). 

Exercise.  Verify  the  theorem  above  and  conclude  functional  completeness  of  all  applicative 
structures  C. 

§6.  Untyped  A-calculus.  In  the  early  1930's  Alonzo  Church  developed  another  theory  of 
functional  rules  covering  much  the  same  ground,  expressed  as  "untyped  A-terms".  We  do 
not  give  a  modern  discussion  of  general  notions  of  untyped  A-calculus  analogous  to  the 
general  notion  of  a  partial  combinatory  structure  discussed  above,  but  restrict  ourselves  for 
lack  of  space  to  Church's  original  case.  We  outline  only  the  definition  of  A-term,  and  how¬ 
to  use  such  terms  as  functional  rules  to  compute  functions  of  integers. 
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The  syntax  consists  of  variables  "X^j,  Xj, the  abstraction  symbol  "A",  and 
parentheses  and  dot 

Untyped  A-terms. 

i)  A  variable  X  is  a  A— term.  The  sole  occurrence  of  X  in  X  is  free. 

ii)  If  M,  N  are  terms,  then  the  application  (MN)  of  M  to  N  is  a  term.  Occurrences 
of  variables  are  free  or  bound  in  (MN)  as  they  are  in  M,  N. 

(iii)  If  M  is  a  term  and  X  is  a  variable,  then  the  A— abstraction  (AX).M  of  M  with 
respect  to  X  is  a  term.  An  occurrence  of  a  variable  other  than  X  in  (AX).M  is  free  or 
bound  as  it  is  in  M.  Occurrences  of  X  in  (AX).M  are  all  bound. 

Informally  the  standard  interpretation  is  that 

-  variables  range  over  A— terms 

-  A— abstraction.  (AX).t  is  a  code  for  the  rule  making  the  rule  with  code  t  a  function  of 
X. 

-  application.  (MN)  is  the  application  of  rule  with  code  M  to  argument  with  code  N  to 
give  as  value  the  code  (MN)  of  another  rule. 

Of  course,  the  notation  also  admits  other  interpretations. 

The  convention  is  that,  AXj...Xjj.M  is  an  abbreviation  for  AXj(...(AXjj.M)...),  making 

the  rule  with  code  M  a  function  of  X,-,  •••,  X„.  Also  M,M„...M  is  the  abbreviation  for 

1’  n  1  2  n 

(...(MiM2)...M„). 


Reduction  Rules. 

o-rule.  We  can  rename  bound  variables,  that  is 


Ax.M  immediately  reduces  to  AY.M(X/Y),  where  M[X/Y]  is  the  result  of  substituting  X 
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for  Y  everywhere  in  M. 

/3-rule.  (AX.M)N  immediately  reduces  to  M[X/N], 

provided  every  free  occurrence  of  variables  in  N  before  substituion  remains  free  after  the 
substitution. 

This  can  always  be  achieved  by  applying  a  suitable  a-reduction  before  the  intended 
/3-reduction. 

Reducibilitv. 

A  A— term  s  is  reducible  to  a  A— term  t  if  there  is  a  sequence  of  A— terms 
s  =  tjj,  tj, ...,  =  t  such  that  each  tj^^  is  obtained  from  tj  by  replacing  a  subterm  tj' 

of  tj  by  a  term  immediately  reducible  to  tj  using  an  a-rule  or  a  /3-rule.  A  term  is 

normal  If  there  is  no  subterm  to  which  the  i3-rule  can  be  applied.  A  term  is  normalizable  if 
it  is  reducible  to  a  normal  term,  called  a  normal  form  for  that  term. 

Examples.  Normal  forms  of  terms  do  not  necessarily  exist.  Let  A  be  Ax.xx,  At 
/3-reduces  to  tt,  AA  /3-reduces  to  AA,  Even  for  terms  with  normal  forms,  there  can  be 
infinite  sequences  of  looping  /3-reduction8.  Look  at  {AXY.Y)(AA)a,  which  ;3-reduces  to 
a,  and  also  to  (AXY.Y)(AA)a:,  depending  on  whether  the  whole  term  or  the  subterm  A  is 
immediately  /3-reduced. 

Theorem.  (Church-Rosser)  If  a  term  has  a  normal  form,  the  form  is  unique. 

Church  also  proved  there  is  no  recursive  procedure  for  telling  whether  or  not  a  term  has  a 
normal  form. 

Here  is  the  usual  representation  of  an  integer  n  as  a  term  p  in  the  Church  A-calculus. 
Identify  integer  n  with  a  term  n  representing  n— fold  iteration  of  a  function  f,  that  is, 
afX  =  f^"^(X),  where  f^*'^(X)  is  f(f(...f(X)...)),  f  iterated  n  times.  So  n  should  be 
AYX.Y^"^X,  the  "Church  numeral"  for  n.  So  zero  is  represented  by  the  A— term  AYX.X, 
and  successor  is  represented  by  AUYX.Y(UYX).  The  Church  numerals  are  normal  terms, 
hence  by  the  Church-Rosser  theorem  they  cannot  be  reduced  to  one  another.  The 
execution  of  a  computation  in  the  Church  A-  calculus  is  a  sequence  of  immediate 
reductions  applied  to  a  A  -term.  The  computation  terminates  when  a  normal  form  is 
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obtained.  The  normal  form  is  regarded  as  a  code  for  the  intended  result  of  the 
computation.  If  the  aim  is  to  compute  an  integer  with  code  a  Church  numeral  by  reducing 
a  term  to  normal  form,  the  normality  of  Church  numerals  guarantees  a  unique  integer 
result  if  any. 

The  usual  method  of  computing  partial  functions  f  of  integers  in  Church's  A-calculus  is 
based  on  this.  A  partial  function  f  (of  n  integer  variables)  is  called  A— definable  if  rhpro 
is  a  A-term  F  such  that  for  all  Church  numerals  ...,  a^^,  b, 

f(aj, ...,  a^j)  =  b  iff  Faj...4jj  is  reducible  to  b. 

That  is,  to  compute  the  value  f(aj, ...,  a^).  we  reduce  the  term  Faj.-.a^^  to  normal  form 
b,  a  Church  numeral.  Then  f(aj . a^^)  is  the  integer  b. 

Theorem.  (Klcene)  Every  partial  recursive  function  is  A-definable.  and  conversely. 

We  give  only  a  simple  example  of  a  function  definition.  Definition  by  cases  can  be  dennei; 
by  first  defining  truth  values  T  =  AX.AY.X  and  F  =  A.X.AV.'^’  analogous  to  T  =  0  and 
F  =  1  in  ordinary  logic).  Then,  if  f.  g  are  A-terms  and  b  takes  values  T.  F.  and  we 
set  Dfgb  =  (bf)g,  it  is  easy  to  check  that  DfgT  reduces  to  f.and  DtgF  ns-iuces  to  s 
Notice  however  that  Dfgb  represents  a  !po.'Sibly  panial  computable  runction  svsn  wnsn 
b  reduces  to  neither  T  nor  F. 

To  see  that  this  original  Church  \-caiculus  gives  a  Curry  cotr.btnatornC  stru.t  urs.  set 

I  =  Ax.x 
S  =  Axyz.xz(yz) 

K  =  Axy.x. 

Note.  Ix  is  SKKx. 

§7.  Set  theory  and  application.  Curry  iutoiuUxi  <Mmbinaior>  strv.ctv.ri-s  .is  .i  .  t  -uv 
of  the  necessary  properties  of  "functional  rule".  Ibvaus*'  of  the  ttuv.-.tst'isu- 
mathematics  is  written,  it  may  appear  to  the  naive  that  the  iioitor,  of  .s  fur.ct  .'r  s  ,t  ■; 
valued  set  of  ordered  pairs  has  comploioly  supplaiiitx)  the  noiion  of  a  futtct  -ot-.v  c 
set  theory  an  example  of  a  functional  rule  which  i.s  not  a  fimciion  is  the  ru.le  ,■>  \.  \ 
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assigning  to  each  set  x  its  unit  set  y  =  {x}.  If  this  were  a  function,  its  dommn  would  be 
a  set,  while  it  is  the  proper  class  of  all  sets.  We  review  the  foundations  of  set  theory  as 
established  by  Zermelo,  Fraenkel,  and  Skolem  in  the  period  1008—1920.  The  primitive 
notions  of  Zermelo— Fraenkel  set  theory  are  set  and  membership.  So  the  primitive  relation 
is  e,  the  quantifiers  range  over  all  sets.  Equality  of  sets  x  =  y  can  be  defined  as 
(Vz)(z  f  X  •-<  z  «  y).  (What  makes  ZP  ext.ensional  is  the  assertion  that  this  notion  of 
equality  is  "true"  equality  in  the  sense  that  it  satisfies  the  equality  axioms  x  =  y  ->  ((i(x)  = 
i^y)  for  all  <fi.)  Set  theory  axioms  assert  that  cert£un  initial  sets  exist  and  provide  rules  for 
the  construction  of  new  sets  from  old.  For  example, 

(3z)(Vx)-t(x  e  z) 

asserts  there  is  an  empty  set  z,  which  we  abbreviate  as  <l>. 

(Vx)(Vy)(3z)(Vw)(w  <z<-tw  =  xVw  =  y) 

asserts  there  is  an  unordered  pair  z  with  members  x,  y,  which  we  abbreviate  as  {x,  y} 
(so  {x}  is  {x,  x}). 

Note:  the  usual  definition  of  ordered  pair  (x,  y)  entering  into  the  definition  of  function  is 
ordered  pair  (x,  y)  =  {{x},  {x,  y}}. 

(Vx)(3y)((Vw)(w  e  y  •  (3z)(w  r  z  A  z  t  x)) 

asserts  that  the  set  of  sets  x  has  a  union  y,  which  we  abbreviate  as  Ux.  Then  we  define 
ordinary  union  x  U  y  as  U  (x,  y}. 

(Vx)(3y)(Vz)(z  t  y  (Vu)(u  e  z  -<  u  e  x)) 

asserts  that  set  x  has  power  set  y  consisting  of  all  subsets  of  x. 

Let  P(x)  assert  that  the  null  set  is  a  member  of  x,  and  for  all  y,  whenever  y  e  x,  then 
y  U  (y)  ( X.  The  axiom  of  infinity  says  there  is  a  least  x  satisfying  P(x),  and  this  x  is 
denoted  by  u,  the  set  of  integers,  and  x+1  =  x  U  {x}. 

Axiom  of  Foundation.  Any  non-empty  set  has  an  element  disjoint  from  it. 
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The  crucial  axiom  is  replacement,  where  functional  rules  rear  their  heads  in  set  theory. 

Axiom  of  Replacement.  Let  A  be  a  set  and  let  tp  be  a  formula  v^Xj, ...,  x^^,  x,  y)  in  the 
language  of  set  theory  such  that  for  given  values  of  Xj, ...,  x^^, 

V>(Xj,  ....  x^,  X,  y)  A  ^xj,  ...,  x^,  X,  z)  y  =  z. 

Then  there  is  a  set  B  such  that  y  t  B  if  and  only  if  there  exists  an  x  in  A  such  that 
(^Xp  ...,  Xjj,  X,  y).  That  is,  the  image  of  a  set  under  the  functional  rule  given  by  v’  is  a 

set. 


Suppose  the  formula  <p  is  x  =  y  A  ^x,  Xp  ...,  x^^).  Then  we  get  as  a  special  case  of 
replacement  the 

Axiom  of  Separation.  Given  any  set  A,  any  formula  Xp  ...,  x^^),  any  values  of 
parameters  Xp  ...,  x^^,  there  is  a  set  B  such  that  for  all  x,  x  r  B  iff  t!i(x,  Xp  ...,  x^^). 

(In  "pure  Zermelo"  set  theory  we  keep  the  axiom  of  separation  and  drop  replacement.) 

The  axiom  of  replacement  is  necessary  for  the  development  of  mathematics,  in  particular  to 
justify  definitions  by  transfinite  induction.  But  such  a  formula  p  in  replacement 
generally  does  not  define  a  single  valued  set  of  ordered  pairs.  Consider  as  above  the 
formula  ip{x,  y)  that  says  y  =  {x}.  If  there  were  a  single  valued  set  of  ordered  pairs  F 
such  that  ¥K*>y)  iff  y  =  {x},  the  domain  of  F  would  be  a  a  set  V.  This  would  be  the 
set  V  of  all  sets,  and  would  lead  directly  to  Russell's  contradictory  set  {x  e  V:  -^x  e  x} 
and  to  a  contradiction.  ,So  V  is  not  a  set  and  v’(x,  y)  does  not  define  a  function  as  a  single 
valued  set  of  ordered  pairs  in  Zermelo-Fraenkel  set  theory.  Thus  functional  rules  enter 
into  the  foundations  of  set  theory  through  the  axiom  of  replacement.  So  formulas  with  set 
parameters  act  like  Curry's  functional  rules. 

This  is  more  than  an  analogy.  Each  formula  with  set  parameters  can  be  coded  as  a  set  by 
taking  as  its  code  a  finite  sequence  consisting  of  the  G6del  number  of  the  formula  and  its 
set  parameters,  and  conversely  every  set  can  be  thought  of  as  a  code  of  such  a  formula  with 
set  parameters.  So  if  F,  G  are  codes  of  formulas  with  set  parameters,  a  partial 
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application  operation  on  formulas  with  set  parameters  F,  G  can  be  defined  by  letting 
(FG)  be  the  set  assigned  by  the  functional  rule  with  code  F  evaluated  at  G. 

§8.  Simple  typed  A-calculus.  Typed  A-calculi  are  a  return  to  the  modem 
(non-self— applicative)  notion  of  function,  where  domain  and  range  are  quite  explicit  as 
types.  In  computer  science  types  arose  first  to  enforce  programming  discipline  and  avoid 
errors  by  typing.  They  turn  out  to  have  a  much  more  profound  interest  (see  the  next 
section). 

Simple  Types. 

Types  are  generated  by  the  following  inductive  clauses. 

(i)  Type  constants  a,  0,  y, ...  are  types  (atomic  types). 

(ii)  If  a  and  r  are  types,  then  r}  is  a  type  (exponential  types). 

(iii)  If  <r,  r  are  types,  then  (ffxr)  is  a  type  (product  types). 

Terms. 

We  begin  with  a  list  of  variables  of  type  <r  Xj,  x^’,  Xj,.... 

Then  the  terms  oHype  a  are  generated  by  the  following  inductive  clauses. 

(i)  Variables  of  type  <r  are  terms  of  type  <t. 

(ii)  If  s,  t  are  terms  of  respective  types  (7\.  r,  then  (s  *  t)  is  a  term  of  type  (a  *  r). 

An  occurrence  of  a  variable  is  free  in  s  «  t  if  and  only  if  free  in  whichever  of  s,  t  it 
occurs. 

(iii)  If  t  is  a  term  of  type  {a  *  r),  then  r  t  is  a  term  of  type  a,  x  t  is  a  term  of 
type  T. 

1  2 

An  occurrence  of  a  variable  is  free  in  x  t  or  x  t  if  and  only  if  free  in  t. 

(iv)  If  t,  u  are  terms  of  respective  types  (<r4r),  a,  then  (tu)  is  a  term  of  type  r. 
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An  occurrence  of  a  variable  in  (tu)  is  free  if  and  only  if  free  in  whichever  of  t,  u  it 
occurs. 

(v)  If  t  is  a  term  of  type  r  and  if  x  is  a  variable  of  type  o,  then  Xx.t  is  a  term  of  type 
(<T=»  r). 

An  occurrence  in  Ax.t  of  a  variable  different  from  x  is  free  if  and  only  if  free  in  t;  all 
occurrences  of  x  in  Ax.t  are  not  free. 

An  occurrence  of  a  variable  x  in  a  term  t  is  bound  if  not  free. 

Reduction  of  A-calcuIus  terms  to  normal  form  was  viewed  from  the  beginning  by  Church 
as  a  computation  procedure  b^inning  with  the  term  to  be  reduced,  ending  with  a  normal 
form  for  that  term  as  the  "answer"  to  a  problem  of  computation.  We  state  standard 
reduction  results  for  th,e  typed  lambda  calculus  with  types  based  on  =». 

Reduction. 

Let  X  be  a  variable  of  type  a,  let  u  be  a  term  of  type  0.  In  this  and  only  in  this  case 
define  t(u/x]  as  the  term  resulting  by  substituting  u  for  all  free  occurrences  of  x  in  t, 
where  bound  variables  in  t  are  systematically  reiiftmed  so  as  to  be  distinct  from  the  free 
variables  in  u.  (It  is  easily  shown  by  induction  on  the  definition  of  the  term  t  that 
t[u/ xj  is  a  term  of  the  same  type  as  1.) 

Exercise.  Define  t[u/x]  by  induction  on  the  length  of  the  term  t.  In  substituting  new 
variables  for  bound  variables^  always  use  the  first  ntitable  variable  of  the  same  type. 

Definition.  The  following  three  clauses  define  "term  r  contracts  to  term  c". 

(i)  term  r  =  x\t  »  u)  contracts  to  term  t. 

(ii)  term  r  =  )i^(t  *  u)  contracts  to  term  u 

(iii)  term  r  =  (Ax^t)u  contracts  to  term  t(u/x],  provided  u  is  of  type  0. 

The  left  term  r  is  called  the  redex,  the  right  term  c  is  called  the  contractum. 
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Definition.  Term  v  is  immediately  reducible  to  term  w  if  w  results  from  v  by 
replacing  one  occurrence  of  a  subterm  of  t  as  redex  by  the  contractum  of  that  redex  using 
one  application  of  one  of  the  three  rules  above. 

A  finite  or  infinite  sequence  of  terms  tjj,...,  t^^, ...  is  a  reducibility  sequence  if,  for  all  i  for 
which  tj  is  defined,  tj_j  is  immediately  reducible  to  tj. 

Term  v  is  reducible  to  term  w  if  there  is  a  finite  reducibility  sequence  beginning  with  v, 
ending  with  w.  We  write  this  as  v  >  w. 

Definition.  A  term  is  is  called  a  normal  term  if  it  contains  no  redex,  that  is  no  subterm  of 
the  form  ir^(t  x  u),  x^(t  x  u),  (Ax^.t)u. 

(These  are  the  terms  for  which  no  reduction  is  possible.) 

Definition.  A  normalization  of  t  is  a  finite  reducibility  sequence,  beginning  with  t, 
ending  with  a  normal  term  w.  A  term  t  is  normalizable  if  there  is  a  normalization 
starting  with  t. 

Weak  normalization  theorem.  (See  Girard  et  al.{1989].)  Every  term  is  normalizable. 

Definition.  A  term  t  is  strongly  normalizable  if  there  is  no  infinite  reducibility  sequence 
starting  with  t. 

A  harder  theorem  is  the 

Strong  normalization  theorem.  (See  Girard  et  al.  [1989].)  All  terms  of  the  simple  typed 
lambda  calculus  are  strongly  normalizable. 

In  the  untyped  A-calculus,  reduction  of  A-terms  to  normal  form  was,  as  we  have  said 
earlier.  Church’s  method  of  performing  computations.  This  is  a  good  view  for  the  typed 
calculi  as  well,  but  in  the  simple  typed  A-calculus  every  potentially  infinite  sequence  of 
reduction  steps  terminates  in  a  normal  form  due  to  strong  normalization,  and  the  collection 
of  functions  so  computable  is  much  smaller. 


§9.  Curry— Howard  isomorphism.  Another  semantics  of  intuitionistic  logic,  which  offers  an 
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interpretation  different  from  realizability  of  Heyting's  theory  of  constructions,  uses  the 
typed  lambda  calculus  and  stems  from  Curry— Feys  [1958].  There  is  is  an  isomorphism, 
called  the  Curry— Howard  isomorphism,  between  two  structures  which  were  apparently 
unrelated  before  Curry.  One  is  the  calculus  of  deductions  in  the  intuitionistic  propositional 
logic.  The  other  is  a  calculus  of  typed  terms  in  a  typed  lambda  calculus  with  types  the 
propositions  of  that  propositional  logic.  We  discuss  here  the  Curry- Howard  isomorphism 
for  the  fragment  of  intuitionistic  propositional  logic  based  on  A,  The  isomorphism 
maps 

—  propositions  to  corresponding  types 

—  deduction  of  propositions  to  terms  of  the  corresponding  type. 

Here 

—  atomic  propositions  correspond  to  type  constants. ' 

—  compound  proposition  A  A  B  corresponds  to  type  A  »  B 

—  compound  proposition  A  -•  B  corresponds  to  type  A  4  B. 

This  A,  -•  fragment  is  also  the  basis  of  the  cartesian  closed  category  approach  to 
intuitionistic  logic.  We  follow  Girard's  notations  for  the  most  part.  We  now  construct  the 
Curry— Howard  isomorphism  formally  by  showing  to  construct  a  typed  A-term  from  a 

deduction  tree.  *  '■ 

0)  AgaumpUgns- 

Term  corresponds  to  an  occmrence  of  assumption  A  at  a  leaf.  There  is  a  different 
subscript  n  for  each  such  instance. 

1)  A  -  introduction. 

If  term  t  of  type  A  corresponds  to  deduction  d  of  formula  A,  and  term  t'  of  type  B 
corresponds  to  deduction  d'  of  formula  B,  then  term  txf  is  of  type  A  x  B  and 
corresponds  to  the  following  deduction  of  (A  A  B) 
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d;  ;  d' 

A  B 

(A  A  B) 

2a)  A  —  elimination,  (left) 

If  term  t  is  of  type  A  «  B  and  corresponds  to  deduction  d  of  (A  A  B),  then 

term  Tjt  of  type  A  corresponds  to  the  following  deduction  of  A 
d  ; 

(A  A  B) 

— S 

2b)  A  —  elimination,  (right) 

If  t  is  a  term  of  type  AxB  corresponding  to  a  deduction  d  of  (A  A  B),  then 

term  of  type  B  corresponds  to  the  following  deduction  of  B. 
d  : 

(A  A  B) 

B 

3a)  -» -  introduction. 

If  t  is  a  term  of  type  B  conesponding  to  a  deduction  dof  B  from  assumption  A,  then 
Ax'^.t  is  the  term  of  type  (A  =>  B)  associated  with  the  deduction 


:  d 
B 

A  B 

where  some  or  all  or  no  instances  of  A  as  assumptions  are  canceled. 

3b)  -« -  elimination. 

If  t  of  type  A,  t'  of  type  (A  ^  B)  are  the  terms  corresponding  to  deductions  d  of  A,  d' 
of  (A  -•  B),  then  (ft)  is  the  term  of  type  B  corresponding  to  the  following  deduction  of 
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B 


d:  ;  d  ' 

A  (A  4  B) 

B 

The  normalization  theorem  for  simple  typed  A-calculus  corresponds  under  the 
Curry— Howard  isomorphism  to  identical  results  on  normalization  of  natural  deductions  in 
the  propositional  logic  based  on  A,  Under  the  Curry— Howard  isomorphism,  a  reduction 
step  for  a  term  in  the  typed  lambda  calculus  corresponds  to  elimination  of  a  superfluous 
step  in  a  corresponding  natural  deduction.  Elimination  of  superfluous  steps  in  deductions 
was  a  reworking  of  Gentzen's  cut-elimination  ([1935, 1969])  for  use  in  consistency  proofs 
for  classical  first  order  arithmetic.  (But  the  A,  fragment  we  have  discussed  corresponds 
to  a  tiny  fragment  of  Gentzen's  work.)  He  reduced  all  proofs  of  first  order  arithmetic  step 
by  step  to  a  "cut-free"  form  by  an  algorithm  for  the  elimination  of  "superfluous  steps". 
Similarly,  proofs  can  be  reduced  to  a  "normal"  or  "redundancy-free"  form.  One  could  see 
by  finitistic  reasoning  that  a  "normal  form"  proof  could  not  end  in  a  contradiction.  The 
whole  force  of  the  argument  for  consistency  is  to  prove  that  simplification  of  a  deduction 
by  elimination  of  superfluous  steps  always  terminates  in  a  "normal  form"  proof.  This  is 
where,  for  full  first  order  intuitionistic  or  classical  arithmetic,  non-finitary  reasoning  is 
used  to  show  that  a  specific  tree  of  height  fg  is  well-founded.  This  tree  describes 

possible  reduction  sequences  to  normal  form. 

Normalization  of  deductions  is  implicit  in  the  theorems  of  Curry  and  Feys  [1958],  and  was 
set  forth  explicitly  in  Prawitz  [1965].  The  connections  between  cut-elimination  and 
normalization,  translations  of  one  to  the  other,  were  made  precise  by  Zucker  [1974]  and 
Pottinger  [1977]. 

§10.  Typed  oombinators.  In  the  simple  typed  A-calculus  discussed  above  there  are  typed 
versions  of  the  Curry  combinators  (see  Hindley  and  Seldin  [1986],  Lambek  [1980]), 

I^=(Ax‘‘.x“), 

K„,^=(AxVx«), 
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Curry  and  Feys  [1958]  noted  that  these  three  typed  combinators  are  formally  analogous  to 
the  axiom  schema  of  implicational  propositional  calculus 

A  ->  A, 

(C  -(B-A))-((C-.B)-(C-A)), 

A-»(B-.  A). 

They  noted  that  a  sequence  of  (legally  applied)  successive  applications  of  three  three  typed 
combinators  f,  K,  S  correspond  to  the  sequence  of  steps  of  a  deduction  using  modus 
ponens  as  the  rule  of  inference.  This  was  the  origin  of  the  Curry-Howard  isomorphism. 

We  can  think  of  typed  combinators  as  "generalized  deduction  rules"  for  intuitionistic  logics 
based  on  modus  ponens  and  implication,  and  possibly  other  logical  operations. 

For  simplicity  of  exposition,  in  this  one  section  types  will  be  based  on  alone  (arrow 
types) ,  as  in  Curry-Feys  [1958]  and  Hindley-Seldin  [1986]. 

Arrow  types. 

1.  Constant  types  (atomic  types)  are  types. 

2.  If  a  and  0  are  types,  so  is 

We  left-associate,  ((o  -•  ^)  -7)  is  q-<  0-^  y . 

Typed  combinatory  terms. 

For  each  type  o,  there  are  infinitely  many  variables  "  v** ",  constants  "K^  "S^  ^ 

parentheses  "(",  ")". 

1.  Each  V®,  K  *  S  is  a  typed  combinatory  term  of  respective  type  a,  a 

(o-t  0  -*7)  -<  (a -<  0)  -<  a ->  y. 

2.  If  X  and  Y  are  typed  combinatory  terms  of  types  q-<  0  and  a  respectively,  then 
(x^0y^)  is  a  typed  combinatory  term  of  type  0. 

There  is  a  notion  of  reduction,  and  a  strong  normalization  theorem  holds  for  typed 
combinatory  terms.  See  Bindley  and  Seldin  [1986].  But  we  have  said  enough  to  indicate 
what  typed  combinatory  structures  look  like,  and  how  they  relate  to  typied  A-calculus. 


§11.  Second  order  intuitionistic  lope.  We  now  introduce  a  second  order  propositional 
calulus  based  on  A,  There  is  an  infinite  list  Pq,  Pj,  ...  of  "propositional  variables". 

i)  Propositional  variables  are  propositions. 

ii)  If  a,  /)  are  propositions,  then  (a-*/?)  is  a  proposition. 

ii)  If  a  is  a  proposition,  /3  is  a  propositional  variable,  then  A/?.a  is  a  proposition. 

This  list  of  primitives  suffices  for  second  order  logic,  since  all  the  other  standard 
connectives  are  then  definable.  This  is  a  very  powerful  theory,  much  stronger  than  it 
appears  at  first.  This  is  the  theory  which  gives  rise,  under  a  strengthening  of  the 
Curry— Howard  isomorphism  described  above,  to  "polymorphic  lambda  calculus",  or  the 
system  F  of  Girard,  described  briefly  later. 

Substitution.  A  substitution  B[A/C]  of  proposition  A  for  all  occurences  of  variable  C 
in  proposition  B  is  called  legal  if  no  variable  occurrence  free  in  A  becomes  bound  in 
B(A/C).  The  rules  defining  deductions  are  as  follows. 

Atomic  deductions. 

For  every  formula  A 

A 

is  a  deduction.  A  is  not  canceled. 

-  -  introduction. 

From  a  deduction  of  B  with  premise  A 
A 

B 


form  a  deduction  of  A  -•  B, 
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B 

A  -  B 

where  none  or  some  or  all  occurrences  of  premise  A  may  be  canceled. 

1  —  elimination 
From  a  deduction  of  A 

A 

and  deduction  of  A  -*  B 

A^B 

form  a  deduction  of  B, 


A 


A 


B 


A-introduction. 

From  a  deduction  of  B  in  which  the  propositional  variable  A  does  not  occur  free  above 
the  line 


¥ 


form  a  deduction  of  AA.B, 
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B 

ran 

A  —  el  irru  nation. 

From  a  deduction  of  AA.B, 


aA  .  B 

and  a  legal  substitution  B[C/A],  form  a  deduction  of  B[C/A], 

AA.B 

— ¥TC7xr 

§12.  Polymorphic  A-calculua.  Polymorphic  lambda  calculus  is  the  typed  calculus 
corresponding  to  the  second  order  propositional  calculus  introduced  above,  with  its 
propositions  corresponding  to  types,  its  deductions  corresponding  to  terms. 

Girard  (1972)  introduced  free  type  variables  as  atomic  types,  and  also  allowed  types  which 
have  universally  quantified  type  variables.  In  our  notation  for  polymorphic  terms,  two 
kinds  of  variable  occur.  Term  variables  occur  on  the  line  and  type  variables  occur  in 
superscripts  of  terms,  and  on  the  line  as  well.  It  is  convenient  to  define  a  term  as  a  finite 
sequence  of  symbols,  including  the  type  variables.  So  we  follow  the  convention  that  the 
non-linear  notation  is  an  abbreviation  for  the  string  (-xa).  We  put  the  "  in  to 
avoid  syntactical  confusion. 

Remark.  The  intuition  is  something  like  this.  Think  of  each  x*^  as  a  box  with  label  a  in 
which  a  term  assigned  to  x  may  be  stored,  so  long  as  its  type  is  a.  Think  of  u  as  a  label 
with  spaces  (type  variables)  which  can  be  filled  out  with  types,  thus  changing  the  type  of 
the  x's  that  can  be  stored  there.  Since  such  type  variables  will  then  occur  in  the  type 
expressions  which  are  superscripts  of  variables,  terms  are  functions  of  type  variables. 

There  will  be  two  additional  primitive  term-builders  for  the  polymorphic  csJculus,  beyond 
those  for  the  simple  typed  calculus.  One  new  term-builder  of  polymorphic  calculus  is  type 
application,  namely  application  of  a  term  t  to  a  type  a  to  get  a  term  to,  ^alogous  in 
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notation  to  the  application  of  a  term  t  to  a  term  u  to  get  a  term  tu  in  simple  typed 
lambda  calculus.  The  second  new  term  builder  of  polymorphic  calculus  is  type  abstraction. 
If  l  is  a  term  of  type  a  and  a  is  a  type  variable,  then  Aa.t  is  a  term  of  type  Aa.<r, 
meaning  that  t  has  been  made  a  function  of  the  type  variable  a.  This  pair  of  term 
builders,  type  abstraction  and  type  application,  are  the  new  term  builders  of  polymorphic 
calculus  added  to  simple  typed  lambda  calculus,  which  has  itself  only  term  application  and 
term  abstraction  as  term  builders. 


(i)  Type  variables  a,  0,  7, ...  are  types.  The  occurrence  of  a  type  variable  in  itself  is 
free. 


(ii)  If  <7  and  r  are  types,  then  {a  ->  r)  is  a  type.  An  occurrence  of  a  type  variable  in 
<7  -*  r  is  free  or  bound  as  it  is  in  a,  t  respectively. 


(iii)  If  <7  is  a  type  and  a  is  a  type  variable,  then  Aa.<7  is  a  type.  All  occurrences  of  a 
in  Aa.<7  are  bound.  An  occurrence  of  a  type  variable  other  than  a  in  Ao.a  is  free  or 
bound  as  it  is  in  <7. 


We  do  not  distinguish  types  that  differ  only  in  their  bound  variables.  (7[r/  a]  is  the  result 
of  substituting  type  r  for  free  occurrences  of  type  variable  o  in  type  a,  where  the  bound 
variables  of  a  must  be  renamed  so  as  to  be  distinct  from  the  free  type  variables  of  r. 


are  terms  of  type  <7.  In  the  occurrence  of  the  term  variable  is  free.  An 
occurrence  of  a  type  variable  in  x^  is  free  or  bound  as  it  is  in  tr. 


(ii)  If  t  is  a  term  of  type  r  and  x^  is  a  term  variable  of  type  <7,  then  Ax'^^.t  is  a  term 
of  type  <7  -t  r.  All  occurrences  of  x^  in  Ax^^.t  are  bound.  Occurrences  of  term  variables 
other  than  x^  in  Ax'^.t  are  free  or  bound  as  they  are  in  a  or  in  t. 


(iii)  If  t,  u  are  terms  of  respective  types  (<7  r),  a,  then  (tu)  is  a  term  of  type  r. 
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Occurrences  in  tu  are  free  or  bound  as  they  are  in  t,  u.  This  (tu)  is  usually  written 
t(u),  read  t  applied  to  u  (term  application). 

(iv)  If  t  is  a  term  of  type  a  and  a  is  a  type  variable  which  does  not  occur  free  in  the 
type  of  any  term  variable  occurring  free  in  t,  then  Aa.t  is  a  term  of  type  Aa.<r.  All 
occurrences  of  the  type  variable  a  in  Aa.t  are  bound.  Occurrences  of  term  variables  or 
type  variables  other  than  a  in  Aa.t  are  free  or  bound  as  they  are  in  t. 

(v)  If  t  is  a  term  of  type  Aa.a  and  if  r  is  a  type,  then  (tr)  is  a  term  of  type  (r[r/a]. 
Occurrences  of  term  or  type  variables  in  (tr)  are  free  or  bound  as  they  are  in  t,  r.  This 
(tr)  is  usually  written  t(r),  read  term  t  applied  to  type  r  (type  application). 

Note  that  (iv)  and  (v)  are  abstraction  and  application  for  type  variables,  just  as  (ii)  and 
(iii)  are  abstraction  and  application  for  term  variables.  The  reason  for  the  limitation  on  a 
in  (iv)  will  be  clear  from  the  (extended)  Curry-Howard  isomorphism  below. 

Reduction. 

We  use  t[u/x^]  for  the  result  of  substituting  u  for  all  free  occurrences  of  term  variable 
x'^  in  term  t,  where  u  is  of  type  <r  and  the  bound  term  variables  in  t  are  renamed  so 
as  to  be  distinct  from  the  free  term  variables  in  u,  t.  Similarly  t[r/ a]  is  the  result  of 
substituting  type  r  for  all  free  occurrences  of  type  variable  a  in  term  t  and  the  bound 
type  variables  are  renamed  so  as  to  be  distinct  from  the  free  type  variables  in  t,  t. 

We  now  define  reducibility  as  in  the  simple  typed  calculus,  but  with  different  clauses. 

Definition.  The  following  two  clauses  define  "term  r  contracts  to  term  c". 

Suppose  u  is  any  term  of  the  same  type  as  term  variable  x.  Then 

(i)  term  r  =  (Ax.t)u  contracts  to  term  t[u/x]. 

Suppose  T  is  any  type  of  the  same  type  as  type  variable  o.  Then 

(ii)  term  r  =  (Aa.t)r  contracts  to  term  t[r/oJ. 

The  left  term  r  is  called  the  redex,  the  right  term  c  is  called  the  contractum.  Clearly 
redex  and  contractum  always  have  the  same  type. 

Definition.  Term  v  is  immediately  reducible  to  term  w  if  w  results  from  v  by 
replacing  one  occurrence  of  a  subterm  of  t  as  redex  by  the  contractum  of  that  redex  using 
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one  application  of  one  of  the  two  rules  above. 

A  finite  or  infinite  sequence  of  terms  tQ, t^^, ...  is  a  reducibility  sequence  if  for  all  i  for 
which  tj_j  is  defined,  tj_j^  is  immediately  reducible  to  tj. 

Term  t  is  reducible  to  term  w  if  there  is  a  finite  reducibility  sequence  beginning  with  v, 
ending  with  w.  We  write  v  >  w.  A  term  is  normal  if  it  has  no  redex.  A  normalization 
sequence  starting  with  t  is  a  finite  reducibility  sequence  ending  in  a  normal  term.  A  term 
t  is  strongly  normalizaible  if  every  reducibility  sequence  starting  with  t  can  be  extended  to 
a  normalization  sequence. 

Theorem.  (See  Girard  [1972].)  Every  polymorphic  term  is  strongly  normalizable. 

This  is  a  difficult  theorem. 

Examples.  Polymorphic  A-calculus  has  such  strong  expressive  power  that  the  usual  data 
types  can  all  be  defined  in  it.  For  example,  integers,  lists,  trees  (see  Girard  [1988]).  In 
order  to  define  functions  it  is  necessary  to  define  the  appropriate  types  on  which  they  act. 
Thus  the  type  boolean  may  be  defined  as  Aa.a->{ot^o).  We  can  set  true 
T  =  Aa.Ax®.Ay®.x®  and  false  F  =  Aa.Ax®.Ay“.y*^  (that  is,  these  are  defined  as  "first" 
auid  "second").  It  is  not  hard  to  check  that  definition  by  cases  Dfgb  =  f  if  b  =  T, 

Dfgb  =  g  if  b  =  F,  where  f,  g  have  the  same  type  7  and  b  has  type  boolean,  is 
defined  in  the  calculus  by  Dfgb  =  (b7)fg.  For  then  if  b  =  T,  b7  chooses  f,  the  first  of 
the  two  functions  f,  g,  otherwise  g. 

Natural  numbers  can  be  represented  as  Church  numerals  in  the  style 
n  =  Ao.Ay®^®.Ax*.y(...(y(x)...),  with  n  y's,  which  term  has  the  type 
integer  --  Aa.qM(f<if-»ol-ial.  Zero  is  here  represented  by  the  term  Ao.Ay®^®.Ax®.x  and 
successor  by  Auifllsesi.yva  .Ay*^®.Ax®.y((uo)yx).  It  is  also  possible  to  represent  integers 
by  Aa.((or-'o)-t(a-*o)),  in  which  n  is  represented  by  "n-fold  iteration".  The  notion  of 
"polymorphic  definable  functions  of  integers"  is  defined  much  as  in  Church's  untyped 
A-calculus,  but  not  all  total  recursive  functions  are  polymorphically  definable,  only  the 
functions  of  integers  provably  recursive  in  second  order  classical  or  intuitionistic 
arithmetic.  For  more  see  Girard  [1988],  Leivant  [1983],  Reynolds  and  Plotkin  [1989].) 

§13.  Curry-fioward  Isomorphism.  The  isomorphism  will  make  second  order  propositions 
correspond  to  polymorphic  types  and  will  make  second  order  deductions  ending  in  a 
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proposition  correspond  to  polymorphic  terms  of  the  corresponding  type.  Just  as  before, 
term  abstraction  and  term  application  correspond  to  implication  introduction  and 
implication  elimination.  What  are  the  new  clauses  of  the  definition  of  the  correspondence? 

If  term  t  of  type  A  corresponds  to  a  deduction 

:d 

A 

and  <T  is  a  propositional  variable  not  free  in  the  deduction  d, 
then  term  Air.t  of  type  Ao.A  corresponds  to  deduction 


A 

A  <7  .  A 

If  term  t  of  type  A  a.  A  corresponds  to  a  deduction 
:d 

A<t.  a 

and  B  is  a  legal  substitution  for  o  in  A,  then  the  term  Aa.A  corresponds  to 
d 

\a  .  \ 

Under  the  Curry-Howard  isomorphism,  the  reduction  of  polymorphic  terms  will 
correspond  perfectly  to  proof  simplification  in  second  order  intuitionistic  calculus  based  on 
A,  -t. 

§14.  IntoitioBistic  Zermelo-Fraenkel  set  theory.  IZF  is  the  best  developed  constructive  set 
theory.  IZF  attempts  to  preserve  both  the  expressive  power  of  classical  ZF  and  the 
mathematician's  natural  use  of  higher-order  and  impredicative  concepts.  In  meeting  the 
requirement  of  preserving  the  mathematician's  ordinary  proof  habits,  it  gets  high  points 
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compared  to  most  other  constructive  foundational  systems.  One  can  extract  programs 
from  proofs  in  IZF.  This  is  because  IZF  has  well-behaved  recursive  realizabilities.  We 
exposit  McCarty's  [1984].  Nothing  in  this  direction  has  been  implemented  so  far  as  we 
know.  We  cover  this  topic  to  indicate  a  possible  future  direction  of  research.  IZF  will  be  a 
first  order  theory  in  intuitionistic  logic  based  on  (membership)  and  "="  (equals). 

Part  of  a  "Heyting  semantics"  of  IZF  is  as  follows. 

—  Each  set  S  has  as  elements  names  of  constructions. 

—  X  is  a  member  of  S  if  x  equals  a  member  y  of  S. 

—  S  equals  T  means  there  is  a  construction  leading  from  each  name  of  a  construction 
X  €  A  to  a  name  y  of  an  equal  construction  of  B. 

—  the  axioms  of  IZF  should  provide  for  the  usual  construction  of  new  sets  from  old, 
including  definitions  by  transfmite  induction,  provided  that  intuitionistic  logic  is  used. 

In  ZF  based  on  classical  logic,  definitions  by  transfmite  induction  are  handled  using 
ordinals,  the  axiom  of  foundation,  and  the  replacement  axiom.  We  need  to  know  what 
axioms  to  use  instead  in  a  constructive  context.  Classically  equivalent  axioms  are 
notorious  for  giving  different  results  in  constructive  contexts.  The  "right"  definition  has  to 
be  discovered  by  analyses  of  proofs.  Here  are  the  axioms  of  IZF. 

Extensionalitv. 

VxVy((Vz)(z  ex«zey)«x  =  y) 

Pairing. 

VxVy3z(x  e  z  A  y  f  z) 

Union. 

Vx3yVz(Vu€x  (z  t  u  ->  z  <  y)) 

SfiBaiatiflfi- 

Vx3yVz(z  t  y  «  (z  f  x  A  V?)) 

Power. 

Vx3yVz((Vu(z  (u  <  x)  -•  z  t  y) 


47 


3x((3uex  Vy  -■(y  <  u))  A  (Vy<x  3z«  (y  t  z)) 

Collection. 

Vx(Vyfx  3zi^  — '  3u  Vytx  3zfu  ip) 

Set  induction. 

(Vx)((Vy(x  v!(y)  ^  ¥>(x))  —  Vx  ¥> 

Notes. 

—  Using  only  intuitionistic  logic  the  axiom  of  choice  implies  the  law  of  the  excluded  middle. 
(Diaconescu,  D.  Scott),  so  we  do  not  want  it. 

-  using  classical  logic  the  collection  axiom  is  equivalent  to  the  replacement  axiom.  But 
Using  only  intuitionistic  logic  the  coiiection  axiom  is  stronger  than  replacement,  and  we 
need  the  additional  strength  to  handle  transfinite  induction. 

-  Using  ciassicai  logic  the  axiom  of  set  induction  is  equivalent  to  the  axiom  of  foundation. 
But  using  intuitionistic  logic,  the  axiom  of  foundation  implies  the  law  of  the  excluded 
middle,  so  we  do  not  want  it.  The  axiom  of  set  induction  will  suffice  for  the  development 
of  ordinals  and  definitions  by  transfinite  induction,  so  we  adopt  it. 

—  In  IZF  a  set  x  is  an  ordinal  if  x  is  a  transitive  sets  of  transitive  sets  (Powell).  The 
assumption  that  every  ordinal  is  either  0,  a  successor,  or  a  limit,  implies  the  law  of  the 
excluded  middle,  so  we  do  not  have  this  principle  in  IZF.  In  IZF  arguments  about  ordinals 
have  to  be  carried  out  without  separation  into  these  three  cases,  a  common  classical 
technique.  These  ordinals  can  be  used  to  provide  a  notion  of  rank.  Setting 

x+1  =  X  u  {x},  it  can  be  seen  that 

rk(x)  =  1)  {rk(x)+l  |  z  <  x} 

assigns  an  ordinal  rank  to  every  set  in  IZF,  using  the  axiom  of  set  induction.  For  ordinal 
o  the  ranked  universe  of  level  a  is  the  transitive  set 

V^  =  U{P(V^)  (  a}. 

The  axiom  of  set  induction  implies  that  in  IZF  every  set  is  in  some  ranked  universe  V^. 

In  particular,  every  element  of  is  a  subset  of  a  for  ^  t  a.  Generally,  we  can 


48 


carry  out  deflnitions  by  transinite  induction 

f(a,  x)  =  G(a,  X,  g)), 

where  g  is  f  restricted  to  a,  provided  that  there  is  no  case  analysis  on  the  ordinals. 

McCarty  [1984]  developed  one  realizability  interpretation  for  IZF.  There  are  others.  His 
idea  was 

—  to  imitate  Kleene  [1945]  realizability,  according  to  which  integers  n  realize  propositions 
(are  "evidence  for  propositions").  So  n  is  regarded  as  a  code  for  the  n  th  partial  recursive 
function. 

—  to  pass  evidence  past  universal  quantifiers,  as  in  Kreisel-Troestra  interpretations,  see 
Troelstra  [1973].  Thus  in  the  McCarty  interpretation  the  only  way  to  establish  a  universal 
is  with  a  single  piece  of  evidence  which  itself  establishes  every  instance. 

—  To  mimic  the  definition  of  with  a  definition  of  such  that  for  all  members  x,  S 
in  any  W  the  proposition  "x  e  S"  is  accompanied  by  the  evidence  n  for  this  proposition. 

Now  S  will  be  a  subset  of  a  for  a  P  t  a,  and  we  always  want  evidence  n  for  x  e  S, 

so  we  might  as  well  let  all  such  sets  S  consist  of  pairs  (n,  x),  where  n  is  an  integer  and 
X  is  an  element  of  and  therefore  a  subset  of  a  W^,  7  e  /?.  But  then  there  has  to  be  a 

new  definition  of  equality.  Equality  should  mean  that  the  sets  of  pairs  (n,  x)  have  equal 
elements.  That  is,  S  =  T  should  mean  that  whenever  (n,  x)  t  S,  there  is  an  m  with 
(m,  x)  c  T  with  (m,  x)  =  (n,  y),  and  conversely.  This  clearly  requires  a  simultaneous 
inductive  definition  of  membership  and  equality. 

McCarty's  Universe  Yi. 


W 


a 


=  U  P((i;  *  Wa) 


W  =  U  Wa 


This  is  simply  a  proper  class  of  names  suitable  for  elementbood  evidenced  by  integers, 
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which  we  add  as  names  to  a  first  order  language. 

Ekiualitv. 

e  realizes  a  =  b  iff 

VfVd{[<f,  d>  f  a  ->  (ef)Q  realizes  d  t  b]  A  [<f,  d>  «  b  -•  (ef)^  forces  d  t  a]) 


e  realizes  a  <  b  iff 


3c(<eQ,  c>  f  b)  A  (e^  realizes  a  =  c). 


e  realizes  ifiA  ip  iK 
eQ  realizes  ip  and  ej 


realizes 


e  realizes  ¥>  V  ^  iff 

(Bq  =  0  A  ej  =  p)  or  (bq  =  1  A  Bj  =  ip) 


e  realizes  (p->  ip  iff 

Vf(f  realizes  ip  implies  ef  is  defined  and  ef  realizes  ip). 


e  realizes  3x^7  iff 
3e(e  realizes  v’lx/a]). 


e  realizes  Vxv?  iff 
Va(e  realizes  V7(x/a]). 


We  say  that  >p  is  true  in  McCarty's  model  W  if  there  is  an  e  realizing  p.  The  semantics 
is  sound  for  intuitionistic  predicate  logic  with  IZF  as  axioms,  and  provably  so  in  IZF. 


Programs  from  proofs  in  IZF. 
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Here  is  an  application  of  this  realizability  to  algorithm  extraction.  Suppose  p  is  a 
deduction  of  "Vx«<j3y  ^x,  y)  A  (</>  is  a  recursive  predicate)"  from  the  axioms  of  IZF. 

From  p  we  can  effectively  compute  a  code  f  of  a  total  recursive  function  such  that 
Vxfw  ip{x,  {f}(x)).  The  meaning  is  that  any  proof  of  Vx3yv’(x,  y)  together  with  any  proof 
that  (fi  is  a  recursive  predicate  can  be  "compiled"  to  a  program  for  computing  a  Skolem 
function  {f}(x).  In  that  proof,  higher  order  impredicative  notions  may  be  used.  The 
verification  of  this  fact  uses: 

—  She  proof  of  soundness  of  realisability  is  uniformly  effective  in  the  codes  of  proofs, 

—  if  Kleene's  T{e,  x,  y)  is  realized,  it  is  true,  metatheoretically. 

§15.  Resume  of  extractions  of  programs  from  proofs.  Automated  extraction  of  programs 
from  proofs  in  extensions  of  HA  has  been  an  impetus  for  development  of  very  high  level 
computer  languages.  Such  languages  as  AUTOMATH  (DeBruijn  [1973,  1980]),  NuPRL 
(Constable  [1986]),  the  theory  of  constructions  (Huet  and  Coquand  [1985]),  and  PX 
(Hayashi  [1989])  arise  from  such  logical  considerations.  This  relation  between  logic  and 
computation  is  one  of  the  main  reasons  for  studying  intuitionistic  systems  in  computer 
science. 

Curry  [1958]  was  the  first  exploration  of  the  identity  of  normalization  of  deductions  in  logic 
with  normalization  of  terms  in  a  typed  lambda  calculus.  Prawitz  [1965]  wrote  an 
important  monograph  in  which  normalization  in  intuitionistic  predicate  logic  is  made  to 
look  just  like  A-calculus  normalization.  The  Curry  propositional  logic-typed  lambda 
calculus  isomorphism  was  extended  to  HA  by  Howard  in  a  widely  ciroulated  and 
influential  msnuscript  in  1969.  (Howard  used  a  sequent  calculus  instead  of  natural 
deduction  on  the  logic  side,  and  A,  V  on  the  Heyting  arithmetic  side.)  However,  this 
manuscript  was  published  only  in  Howard  [1980].  Girard  read  Howard's  paper  for  HA,  and 
in  his  thesis  Girard  [1972]  extended  the  Curry-Howard  isomorphism  first  to  second  order 
intuitionistic  arithmetic  HAS  and  then  to  full  higher  order  Heyting  arithmetic  HAH,  where 
unbounded  quantification  over  functions  of  functions  of  functions...  is  allowed.  He  invented 
an  appropriate  typed  lambda  calculus  of  higher  type  (the  second  order  version  is  known  as 
system  F,  or  polymorphic  calculus)  in  the  process.  Girard  proved  strong  normalization  for 
these  typed  lambda  calculi,  generalizing  a  method  of  Tail  from  proof  theory. 

Independently  Reynolds  invented  second  order  polymorphic  typed  lambda  calculus  in  the 
1970'8  in  response  to  a  1967  program  of  Strachey.  This  calculus  emphasizes  generic  or 
reusable  code  in  a  very  strong  way.  In  a  typed  lambda  calculus  for  defining  functions  from 
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terms  of  a  type  to  terms  of  another  type,  a  program  is  a  lambda  term  that  has  to  be 
evaluated  when  applied  to  an  argument  by  reduction  steps.  Reynolds,  in  order  to  assure 
maximum  reusability  of  lambda  terms  as  subprocedures  that  need  not  be  rewritten, 
suggested  that  types  should  be  variable  types,  and  should  be  specializable  to  any  types 
without  interfering  with  validity  of  reduction  steps.  This  entails  giving  abstraction  and 
application  rules  for  types  as  well  as  the  usual  abstraction  and  application  rules  for  the 
terms  in  which  they  appear,  and  strengthens  LISP  style  functional  languages  significantly. 
Reynolds  and  his  colleagues  validated  the  reduction  procedure  appropriate  to  this  calculus, 
proving  a  so-called  strong  normalization  in  which,  unlike  untyped  lambda  calculus,  every 
term  reduces  to  canonical  form.  Validating  this  reduction  procedure  is  what  is  necessary  to 
validate  a  LISP  style  interpreter  or  compiler  for  such  a  computer  language.  But  they 
found  that  this  difficult  theorem  was  a  special  case  of  the  1972  thesis  of  Girard  referred  to 
above.  This  coincidence  brought  proof  theory  of  intuitionist  systems  into  the  mainstream 
of  computer  science,  where  it  is  today. 

Only  in  the  early  1980's  was  it  recognized  that  the  second  order  Girard  lambda  calculus, 
system  F,  corresponding  to  HAS,  is  equivalent  to  Reynold's  polymorphic  lambda  calculus. 
This  was  after  those  working  on  Reynold's  program  had  duplicated  much  of  Girard's  work 
of  a  decade  earlier.  Girard  had  showed  that  under  the  Curry-Howard  isomorphism,  strong 
normalization  for  logics  and  for  the  corresponding  lambda  calculi  were  the  same.  This 
isomorphism  extracts  lambda  calculus  terms  (or  programs)  from  proofs  in  intuitionistic 
theory.  A  computer  implementation  of  the  strong  normalization  procedure  for  the  lambda 
calculus  becomes  the  interpreter  or  compiler  for  evaluating  terms.  Typed  lambda  terms 
define  functions,  and  reducing  a  lambda  term  applied  to  an  argument  to  normal  form 
represents  computing  the  value  of  that  function. 

What  functions  does  such  a  formalism  compute,  are  they  adequate  for  a  theory  of 
computation?  The  answer  was  provided  by  proof  theory.  First  consider  the  subject  for 
which  Howard  invented  a  term  calculus  Tor  a  fragment  of  HA,  first  order 
Heyting  arithmetic.  What  total  functions  does  his  corresponding  typed  lambda  calculus 
compute?  Gddel  showed  by  his  functional  interpretation  that  the  provably  recursive 
functions  of  HA  are  precisely  the  provably  recursive  functions  of  Peano  classical  first 
order  arithmetic.  These  were  characterized  by  Godel  as  the  primitive  recursive  functionals 
of  finite  type,  which  use  ordinary  primitive  recursion  but  allow  function  variables  of  finite 
type.  This  class  already  contains  far  more  functions  than  will  ever  be  used  in  the  world  of 
computing. 
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The  corresponding  class  of  functions  computable  in  second  order  intuitionistic  arithmetic 
HAS,  or  equivalently  in  Reynold's  polymorphic  lambda  calculus,  is  yet  wider.  Extending 
Gddel's  results,  Harvey  Friedman  [1978]  showed  that  the  functions  computed  in  second 
order  intuitionistic  logic  are  exactly  those  provably  recursive  in  second  order  classical 
arithmetic.  With  a  little  effort  this  can  be  seen  to  be  the  class  of  functions  computed  by 
Girard's  second  order  system  F,  or  equivalently  Reynold's  polymorphic  lambda  calculus. 

There  is  a  provably  total  recursive  function  in  second  order  arithmetic  enumerating  all 
provably  total  recursive  functions  for  first  order  arithmetic,  so  a  diagonal  argument  shows 
that  second  order  arithmetic  has  more  provably  recursive  functions  than  first  order 
arithmetic.  So  more  functions  arc  computed  by  the  second  order  polymorphic  lambda 
calculus  than  by  the  first  order  lambda  calculus  of  Howard,  which  already  computes  more 
functions  than  will  ever  be  needed. 

If  the  typed  lambda  calculus  of  Howard  corresponding  to  first  order  Heyling  arithmetic 
already  computes  more  functions  than  are  needed  in  practice,  why  go  on  to  a  second  order 
or  higher  order  lambda  calculus  as  Girard's  or  Reynolds? 

-  Because  of  the  polymorphism  which  makes  code  easily  reusable  by  specializing  typos. 

—  Mathematicians  naturally  write  their  proofs  in  second  order  logic,  and  their  natural 
datatypes  defined,  by  induction  are  naturally  expressed  in  second  order  logic.  If  a  proof  of 
the  existence  of  a  function  G  is  constructive,  the  Curry-Howard  isomorphism 
automatically  extracts  a  lambda  term  which  acts  as  an  algorithm  (via  execution  of  a  strong 
normalization  procedure)  to  compute  G.  For  this  point  of  view,  see  Leivant  [1983,  1989], 

But  this  feature  leads  in  yet  another  direction.  Martin-Lbf  was  stimulated  to  invent 
extremely  powerful  predicative  extensions  of  HA  to  transfinite  levels.  Predicative  mean.s 
roughly  that  in  the  construction  (or  definition)  of  a  mathematical  object  X,  the  quantifiers 
in  the  definition  of  X  must  range  only  over  previously  defined  objects.  This  excludes  X 
being  introduced  by  a  definition  in  which  the  quantifiers  range  over  a  domain  including  X 
itself.  (Limitation  to  the  use  of  only  predicative  definitions  was  advocated  by  the  great 
French  mathematician  of  the  turn  of  the  20th  century,  Henri  Poincare.) 

Martin— Ldf  viewed  the  Curry— Howard  isomorphism  as  a  key  to  giving  a  computational 
semantic  meaning  to  logical  connectives.  The  operation  on  typed  lambda  terms 


corresponding  to  each  rule  of  deduction  for  introducing  and  eliminating  a  logical  connective 
assigns  a  computational  me?  ing  to  that  connective.  The  Martin— Lof  systems  arc  built  by 
a  simultaneous  inductive  definition  of  both  the  logic  and  a  corresponding  generalization  of 
typed  lambda  calculus.  He  does  not  distinguish  between  the  two  sides  of  the 
Curry-Howard  isomorphism,  but  this  is  because  his  is  indeed  a  simultaneous  inductive 
definition  of  each  in  terms  of  both.  The  predicative  character  of  the  system  is  due  to  its 
simultaneous  inductive  definition  of  logical  deduction  and  term  reduction.  His  systems  are 
described  in  a  formalization  due  to  Aczel  in  Beeson  [1985].  A  Martin— Lof  system  was 
chosen  by  Constable  in  the  middle  1970's  as  the  best  candidate  (or  implementation  of  a 
language  to  extract  programs  from  constructive  proofs.  This  language  is  now  embedded  in 
Constable's  NuPRL.  The  AUTOMATH  language  of  DeBruijn  is  similar  but  was  developed 
independently  of  formal  knowledge  of  the  Curry-Howard  isomorphism.  Similar  languages 
based  on  other  primitives  are  due  to  Feferman  (explicit  mathematics)  and  Aczel  (Frege 
■Structures).  The  Huet-Coquand  theory  of  constructions  [1985]  is  a  powerful  impredicative 
extension  of  Girard's  ut-level  F*^  being  implemented  within  ULYSSES  at  Odyssey 
Re.search, 

Every  notion  of  recursive  realizability  extracts  programs  from  proofs.  Realizability  for 
intuitionistic  analysis  and  set  theory  have  been  investigated  by  Kleene,  Kreisel  and 
froelstra,  and  McCarty.  These  realizabilities  have  not  yet  been  exploited  in  computer 
science,  but  have  some  promise  since  they  extract  programs  from  the  mathematician's 
ordinary  proofs,  so  long  as  they  are  constructive,  without  having  to  avoid  higher  order  or 
transfmile  notions. 
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